Replacing an expired S2S (high-trust) certificate in SharePoint 2013

In SharePoint 2013, configuring your environment for high-trust apps involves a few manual steps. Part of this process is configuring a trusted token issuer in the form of a certificate, which is then used to create app tokens.

Then comes the day when your certificate expires. But don’t panic; it is fairly simple to replace your certificate. Of course, the ideal scenario is to complete this *before* the certificate expires, so, set a reminder for next time!

Firstly, create a new certificate. You may need to request this from your organisation, but a self-signed certificate is fine for development environments (which requires that you turn off HTTPS with AllowOAuthOverHttp = true). Either way, you need both the CER and PFX files for your certificate. Copy the .CER to your SharePoint system. At this point, let’s check for details of your existing Root Authorities by opening the SharePoint command prompt and running Get-SPTrustedRootAuthority. All of your trusted root authories will be listed. Scroll down the list until you find your expired certificate:


The expired certificate above is called ‘s2s’. You can delete that one with the following command:

Remove-SPTrustedRootAuthority -Identity s2s


You’ll receive a confirmation message; press¬†Y and enter. If you run Get-SPTrustedRootAuthority again you’ll see it’s gone. The next step is to remove your old token issuer. Run the following command to get a list of your existing token issuers:



Note the name of your expired token issuer, and delete it by its name, pressing Y to confirm:

Remove-SPTrustedSecurityTokenIssuer -Identity "Custodian App"


Finally, it’s time to add your new certificate as both a trusted root authority and a token issuer. First, register the new trusted root authority:

$path = "C:\certs\s2s-certificate.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)
New-SPTrustedRootAuthority -Name "S2S Certificate" -Certificate $certificate


And register the token issuer. Note that the the Issuer ID, the guid below, is specific to your app. Your Issuer ID is the same as your Client ID, if you have one token issuer per app.

$realm = Get-SPAuthenticationRealm
$issuerId = "4d25b859-5092-4306-8e7e-82fac0633413"
$fullIssuerId = $issuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -Name "Custodian Cert" -Certificate $certificate -RegisteredIssuerName $fullIssuerId -IsTrustBroker


Now, configure your provider-hosted app with the new certificate. In Repstor custodian you need to modify the web.config to either include the path and password of your certificate PFX file, or preferably, the serial number. Your changes will be picked up within 24 hours, or immediately if you do an iisreset. Also, you may need to clear any existing user access tokens (based on the expired certificate) from your app cache if you have one.

And set a reminder for next year :-)