How to Update the SSL Certificate

This section describes how to update the SSL certificate of the EDS service.

To replace this SSL certificate, perform the following actions:

1. Prepare a new SSL certificate that meets these requirements:

   • The SSL certificate is issued by a trusted certificate authority.
   • The SSL certificate and its private key are in a .PFX file (you must have the password of the file).
   • The key size of the SSL certificate is 2048 bits or more.
   • The value of the Issued to certificate property is a hostname in the FQDN format. This hostname is resolved through external DNS servers to the FrontNet IP address of the EDS server. See DNS Requirements for more details.
2. Upload the .PFX file of the new SSL certificate to the EDS server.
3. Log in to the EDS server as Administrator.
4. From the Start menu, select Run. Then, enter cmd.exe and click OK. A Command Prompt window opens.

5. In the Command Prompt window, go to the <root directory of the EDS server site>\bin folder. For example:

   cd C:\Inetpub\wwwroot\CDISync\bin

6. Replace the old SSL certificate with the new one by running the following command:

   CDICertUtil.exe -pfx <full path to .PFX file of new SSL certificate> -pfx-passw <password of .PFX file of new SSL certificate> -update-webconfig <full path to web.config file of EDS service web site>

   For example:

   CDICertUtil.exe -pfx C:\Temp\EDSServiceCertificate.pfx -pfx-passw 4b83fe4b27e5932b7ebf1c260209b35c -update-webconfig C:\Inetpub\wwwroot\CDISync\web.config

7. Open the URL of the EDS service and make sure that its SSL certificate is updated successfully.

Notes:

1. To obtain the complete list of options and their description, use the CDICertUtil.exe -usage command.

2. By default, the NETWORK SERVICE built-in account is used for the application pool of the EDS service web site. If you changed this account to a custom one, when running the command above, you must specify this custom account in the following way: CDICertUtil.exe ... DOMAIN\USER (for a domain account) or CDICertUtil.exe ... USER (for a local account).

3. If the new SSL certificate is in the certificate storage of the EDS server (it must be placed at Certificates MMC snap-in > Certificates (Local Computer) > Personal > Certificates), you can retrieve the SSL Certificate thumbprint and execute the following command: CDICertUtil.exe -thumbprint <thumbprint> -update-webconfig <full path to web.config file of EDS service web site>. To obtain the instructions on how to retrieve the thumbprint of an SSL Certificate, please refer to the article at http://msdn.microsoft.com/en-us/library/ms734695.aspx.