How-To : Renew an expiring (or expired) Token signing Certificate


Do you have an Federation application offline as the certificate has expired or have you noticed the certificate is expiring and need to update it?

If you have a SAML application in your Enterprise Applications where the certificates for the token signing certificate is expiring soon, first we need to locate our application and for this example we can use "Meraki Dashboard" you can see from the application list this has the status "Expires Soon" as below:

When you have located this application choose "Single sign-on" and then in section 3 you will notice the certificates notice it says "Active" not "Expiring Soon" which is a little frustrating, but from the date you can see this will expire soon, so now we need to click edit:


Then we need to create a new certificate as below:

This will then add a new certificate however that needs to be saved to update the details so click save:


This will then update the status, expiration date and the thumbprint but notice that is not active yet, we will need to do this in a moment:


We now need to take the thumbprint which is below:

C75024FFBA5352D3C1B72D9D416DDAEF537317A5

Then we need to for the Meraki Dashboard add the semi-colon (:) after every second character that will result in this:

C7:50:24:FF:BA:53:52:D3:C1:B7:2D:9D:41:6D:DA:EF:53:73:17:A5

Now we need to login to Meraki (if you are using SSO you may need the break glass account if the certificates has expired) and then choose Organization>Settings as below:


Then you need to find the SSO section which should look like the section below, when here you need to paste the new thumbprint into the "X.509 Cert SHA1 fingerprint" box as below (which shows the old thumbprint at the moment)


You then need to save the settings, then once saved from the "SP Initiated SAML IdP" dropdown choose the new certificate as below, then save your configuration again.


Now we need to go back the "Meraki Dashboard" application in Entra and from the SAML signing certificate, choose the three dots to the right and then choose "Make certificate active" as below:


You will then need to confirm that, yes indeed the certificate can be activated:


When you do this, the new certificate will be activated and the old one will be deactivated, now on the old certificate click the same three dots and choose delete:


You will need again need to confirm you actions:



Finally confirm you now only have one valid certificate as below:


All done, the SSO to Meraki should, if you let the token signing certificate expire now be back online and working once again, and next time, prevent expiration.

Previous Post Next Post

نموذج الاتصال