How do I renew an expired SAML Auth Connector IDP self-signed certificate?

book

Article ID: 169257

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Troubleshooting scenarios:


 

Error:

  • Users receive an "Account Restricted" error page; Internet is inaccessible.
  • In the Portal: Service > Authentication > SAML >  Signing Certificate Chains > Self-signed certificate is expired.

Cause

Invalid Signing Certificate Chains configured.

Environment

Web Security Service

Resolution

Note: If you elect to use an existing certificate from your own CA, proceed to Step 2 to add new certificate.

Step 1:
For the Auth Connector service to regenerate the new self-signed certificate, remove the old (expired) self-signed cert from the Auth Connector folder and restart the Auth Connector service.

  1. Access the Auth Connector server.
  2. Open Windows Explorer.
  3. Go to Program Files > Blue Coat Systems > Auth Connector.
  4. The self-signed certificate is named saml-cert.cer.
  5. Delete or rename the expired self-signed certificate from the Auth Connector program folder (saml-cert.cer.old).
  6. Delete the existing certificate from the Certificate repository. This can be found here: Windows Certificates (Local Computer) > Personal > Certificates
    *Cert will end with "saml.auth".
  7. Restart the Auth Connector service, which generates the new, self-signed certificate (named saml-cert.cer). This certificate remains valid for 2 years from this day.

If certificate doesn't recreate automatically, the "CreateCertificate" value in file "C:\Program Files (x86)\Blue Coat Systems\BCCA\saml.ini" needs to be set to "1":
CreateCertificate=1


Step 2:

  1. Open the new self-sign certificate (saml-cert.cer) with a text editor.
  2. Copy the contents of the certificate, beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
  3. Paste into the Portal: Service > Authentication > SAML >  Signing Certificate Chains > Add new certificate.
  4. Click Okay.

Users are now able to authenticate with a new self-signed certificate.