You can update the token decryption certificate or the Microsoft Federation Gateway certificate, as needed. Because the token decryption certificate is the SSL certificate for the Active Directory Rights Management Services (AD RMS) cluster, you must update the token decryption certificate if the cluster SSL certificate expires. After you update the token decryption certificate, you must grant the AD RMS Services group permission to access the certificate on all servers in the AD RMS cluster.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To update the token decryption certificate
  1. Log on to a server in the AD RMS cluster.

  2. Open the Active Directory Rights Management Services snap-in and expand the AD RMS cluster.

  3. Expand Trust Policies, and then click Microsoft Federation Gateway Support.

  4. In the pane, click Configure Microsoft Federation Gateway settings.

  5. In the Enroll Cluster with Microsoft Federation Gateway wizard, click Update Microsoft Federation Gateway Settings, select Update Token Decryption Certificate, and then click Browse.

  6. In the Select Certificate dialog box, select the SSL certificate of the AD RMS cluster, and then click Select. For information about which certificate to select, see Important considerations for installing AD RMS with Microsoft Federation Gateway Support.

  7. Click Next, and then click Finish.

  8. Perform the task described in Grant the AD RMS Service Group Permission to the SSL Certificate.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To update the Microsoft Federation Gateway certificate
  1. Log on to a server in the AD RMS cluster.

  2. Open the Active Directory Rights Management Services snap-in and expand the AD RMS cluster.

  3. Expand Trust Policies, and then click Microsoft Federation Gateway Support.

  4. In the pane, click Configure Microsoft Federation Gateway settings.

  5. In the Enroll Cluster with Microsoft Federation Gateway wizard, click Update Microsoft Federation Gateway Settings, select Update Microsoft Federation Gateway Certificate, and then click Next.

  6. Click Finish.

Additional considerations

Additional references

Table Of Contents