When a certificate expires, it will either be renewed or replaced. In both cases, LiveContent Architect and ADFS needs to be updated to use the new certificate. The certificates are used in 2 places:

1. ADFS
2. IIS/Architect (Internet information Services)

The resolution was written for Live content Architect 10.X and ADFS 2.0. it has the following  sections: 

• Updating the Token-Signing certificate in ADFS
• Update the Token-Decrypting certificate in ADFS
• Update the Service Communication certificate in ADFS
• Create a Self-Signed certificate with Customizable Common name
• Allow the AD FS 2.0 Service user to access the private Key
• Update Certificate in IIS/Architect

1. Updating the certificate in ADFS

1. Logon to the ADFS server (this can be the same server as the LiveContent Architect server)
2.   Open AD FS 2.0
3. Expand Services > Certificates
4. In the Action Pane, on the right side, click Add Token-Signing Certificate
   
5. If you receive the following message, execute the following steps first
   
    
   1. Open Powershell with Administrative Rights

   2. Enter the following arguments:

      Add-PSSnapin Microsoft.ADFS.PowerShell <Enter> Set-ADFSProperties -autoCertificateRollOver $false

6. A new, Secondary certificate will be created.
7. When preferred, you can set the new generated certificate as Primary by clicking  "Set as Primary" in the Action Pain
8. Check if the Token-Decrypting is expired and if necessary update it. You can do that by clicking Add Token-Decrypting Certificate
9. Check if the Service Communications Certificate is expired and if necessary update it. You can do that by clicking Set Service Communication certificate

It is important that the ADFS Service account is able to access the private key of the selected certificate in step 8 and 9. If you see the message below, make sure that you follow the steps: Allowing the Service account to access the private Key

Allowing the Service account to access the private Key:

1. Point to Start > Run
2. Enter MMC in the Run Dialogue to open the Microsoft Management Console
3. In Microsoft Management Console Point to File > Add/Remove Snapin
4. Select Certificates in the Available Snap-ins and Click add to add it to the Console
5. In the Certificates Snap-In Windows , Select Service Account and press Next
6. Select Local Computer and press Next
7. Select the AD FS 2.0 Windows Service account and press Finish
    
8. Press OK again in the Add or remove Snap-Ins dialogue
   
9.  In the overview Search for the Certificate that you have selected for ADFS
10. Go to the Actions Pane > More Actions > All Tasks > Manage Private Keys
    
11.  Make sure that network Service has read access on the Private Key
12.  

Creating a Self-Signed Certificate with a A different Subject Name

One of the issues with IIS is that we can click on Create Self-Signed certificate and it will create a SelfSiged Certificate for is. However the common name (CN) will be generated automatically. This might cause issues later on because LCA expects to find a unique CN certificate. In other words, if you have 2 certificates with the same CN, Architect will stop working.

To generate a Self-Signed Certificate, use the SelfSSL7.exe tool that is provided as an attachment on this KB

1. Download and copy the SelfSSL7.exe to the server where you want to generate the Self-Signed certificate

2. Execute the following Command:

   SelfSSL7.exe /T /N cn=ADFS_Token_Decrypting SelfSSL7.exe /T /N cn=ADFS_Service_Communications

    /T to add the certificate also to the user's certificate store so the SSL certificate is trusted by IE
    /N specifies the common name

1.2 Updating Livecontent Architect with the new certificate information

1.  Select in ADFS the new generated certificate and in the Actions Pane, click View Certificate
2. Click on the Details Tab and Locate Thumbprint

3. Copy the Thumbprint Value to your Clibboard. 

   When copying the Thumbprint value, be sure NOT to copy the hidden Control Character. The Control Character is located before the fist letter/number as indicated in the screen shot. It is marked with Blue
   

4. Paste the contents in a Text editor, for example Notepad

5. Remove all spaces between the characters. Do not close the file, you need this value for step 9
6. Logon to the Architect Server via Remote Desktop (This can be the same server as where ADFS has been installed on)
7. Open a File Explorer and navigate to \Infoshare\web\Author\ASP
8. Make a backup of the file web.config

9. Edit the web.config with a text editor and locate the line that contains the old thumb print

   <add thumbprint="<old thumbprint>" name="Issuer" />

   check for multiple copies

10. Change the thumbprint value with the new one (See step 5) and save the file
11. Navigate to \Infoshare\web\InfoshareWS\

12. Repeat step 8 - 9.

     The thumbprint might be located on multiple llines.

13. Open a command prompt with Admin Rights and execute IISRESET  to recycle Internet information Services

2 Updating the certificate in IIS

The HTTPS protocol is secured with a certificate. This certificate can also expire and when it does, the Relying Parties in ADFS need to be updated as well.

1. Open a Remote Desktop Connection to the Architect Server (this can be the same server as where ADFS is installed)
2. Open Internet Information Services
3. Expand <Computername> > Sites > Default Website
4. Right click on Default Website and choose Bindings
5. Select HTTPS and click Edit
   
6. Make sure that the correct certificate is selected from the dropdown.  
   
7. If you are unable to select a certificate,  follow the next procedure:
   1. In Internet Information Services, click on the computername
   2. In the Feature View (Middle Pane) open Server Certificate
   3. Either Create a Self-Signed Certificate (not recommended), Create a Domain Certificate or create Certificate Request
   4. repeat step 3 - 6 to make sure that the HTTPS protocol is using the correct certificate.
8. Once the correct certificate has been selected, Press View
9. Go to the Details Tab and click Copy to File
   
10. Click Next in the  Certificate Export Wizard
11. in the next window, Choose "No, Do not Export the private key" and press Next
12. Select DER Encoded Binary and press Next
13. In the Export Dialogue, click Browse
14. Browse to \InfoShare\App\Setup\STS\ADFS\scripts and store the certificate with filename Certificate.cer
15. Press Finish to complete The wizard
16. Click OK in the Edit Site Bindings Window and close the Site Bindings window

17. Open a powershell with admin Rights and execute the following Code (at the end of the line, Press Enter to execute that line)

    cd C:\InfoShare\App\Setup\STS\ADFS\Scripts Set-ExecutionPolicy Unrestricted Add-PSSnapin Microsoft.Adfs.PowerShell .\SDL.LiveContent.Architect-ADFSv2.0-RP-UnInstall .\SDL.LiveContent.Architect-ADFSv2.0-RP-Install.ps1 "C:\InfoShare\App\Setup\STS\ADFS\Scripts\certificate.cer" IISRESET

    Alternatively, if it's not possible to run Powershell scripts you can also follow the steps below to update the ADFS server:
    1. Stop ADFS service
    2. Update the replaying party by importing the new SSL cert into ADFS
    3. Start ADFS