Signing certificates for the OIDC and WsFed applications
The OIDC and WsFed applications require signing certificates. A certificate consists of the following items:
▪a private key which is used to sign responses
▪a public key which can be used to verify the signed response.
Together, these keys prove to clients that the response was generated by the OIDC or WsFed application.
Signing certificates
Suitable signing certificates are installed by default. Those signing certificates have an expiry of one year from the installation date; after that, they must be manually updated (see
To generate a new certificate). Self-signed certificates are acceptable, if they are trusted by the local computer.
The signing certificates are stored in the “Personal” certificate store of the local computer. To view the certificates, do one of the following:
▪Run the “certlm” tool from the console.
▪Run the “mmc” tool, and then add the “Certificates” snap-in for the local computer.
Under the \Personal\Certificates store, there are two certificates with “friendly name” values of “IntelligenceOidc” and “IntelligenceWsFed”. The certificates which the applications use are determined by the “OidcSigningCertificate” and “WsFedSigningCertificate” properties in DPM, under \Site\Properties\Oidc; they specify the “thumbprint” of the certificate. To see the thumbprint value for a certificate, double-click the certificate in the certificate store, click the Details tab, and then go to the Thumbprint field.
To generate a new certificate
1 Open the Certificates Manager by using the certlm or mmc commands.
2 Under \Personal\Certificates, delete the “IntelligenceOidc” and “IntelligenceWsFed” certificates.
3 In the IIS Manager, select the server, and then double‑click Server Certificates.
4 In the Actions pane, click Create Self-Signed Certificate.
5 Specify a friendly name of “IntelligenceOidc”, leave the certificate store set to “Personal”, and then click OK.
6 Repeat steps 4 and 5 to create the “IntelligenceWsFed” certificate.
7 Return to the Certificate Manager application, and then refresh the \Personal\Certificates store.
8 For both certificates, right‑click the certificate, click All Tasks > Manage Private Keys, and then assign Read permission for the app pool running the OIDC and WsFed applications. This is normally “IIS AppPool\UIAPIServerPool” and “IIS AppPool\SPSSDimensionNetPool” respectively.
9 For both certificates, double‑click the certificate, click the Details tab, and then copy the value of the Thumbprint field into the OidcSigningCertificate or WsFedSigningCertificate DPM property as appropriate. Remove any spaces from the Thumbprint value before setting the value in DPM.
10 Restart IIS or the app pools that are running the OIDC and WsFed application.
Using dual certificates
The OIDC application supports dual certificates. The private key of the certificate specified by the “OidcSigningCertificate” DPM property is used to sign the JSON web token, but the public keys of both the “OidcSigningCertificate” and “OidcSecondarySigningCertificate” certificates are used when verifying the JSON web token. This allows a new OidcSigningCertificate certificate to be generated with a new expiry with the existing certificate stored as OidcSecondarySigningCertificate and validating any JSON web token that may have been issued using the previous certificate.
See also