Troubleshooting error "Signing certificate doesn't match configured certificate"
This article explains the steps involved in troubleshooting the error "Signing certificate doesn't match configured certificate".
Note: This issue is specific to ADFS as an IdP for SSO and is applicable for both ADFS 2.0 and ADFS 3.0
Signing certificate doesn't match configured certificate.
This issue is present when the ADFS ‘Token-signing‘ certificate is under renewal or has already renewed.
Note: This is a self-signed certificate and is automatically renewed provided the AutoCertificateRollover flag is set to True and this ensures that certificates are getting renewed automatically.
Reference Link: https://technet.microsoft.com/en-in/library/dn781426.aspx
During ADFS certificate renewal, you may see two certificates under the ADFS Management console.
You need to update the newer certificate under inSync admin portal for SSO to work.
In case, you see only one certificate under the ADFS console, then select that certificate and perform following steps.
- Select the newer Token-signing certificate on the ADFS console.
- On the Certificate properties window, click on Detail. On Details page Click Copy to file. This will launch the Welcome to Certificate import wizard.
- Click Next on the wizard. This will launch the Certificate Export Wizard. Select “Base-64 encoded X.509 (.cer)” and Click Next.
- Browse and save the file by providing it a name like 'SSOCert'.
- Open the saved certificate in a text editor (Notepad++ preferably).
- The file will show a certificate in the following format.
- Copy the certificate and paste it on the Single Sign on Settings page under “ID Provider Certificate.