Add a verification certificate to the trust policy

Applies To: Windows Server 2003 R2

When a token-signing certificate is replaced on a server that is running the Federation Service component of Active Directory Federation Services (ADFS), the public key portion of the new token must be added as a verification certificate to federation servers that receive tokens from that Federation Service.

This procedure is not usually necessary because the verification certificate is added to the trust policy automatically when you select a token-signing certificate for use by the server. Use this procedure under the following conditions:

• You are restoring an old trust policy from a version that predates the Valid from date of the token-signing certificated.

• You answered "No" to the question of whether to add the verification certificate to the trust policy in the procedure to Change the token-signing certificate that a federation server uses.

Administrative credentials

To complete the procedure in this topic, you must be a member of the Administrators group on the local computer.

To add a verification certificate to the trust policy

1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

2. Double-click Federation Service, right-click Trust Policy, and then click Properties.

3. Click the Verification Certificates tab, and then click Add.

4. In the Browse for Verification Certificate file dialog box, locate the certificate file that you want to add.

5. Select the certificate file, and then click Open.

6. In the Trust Policy Properties dialog box, click OK.

See Also

Concepts

Change the token-signing certificate that a federation server uses
Add a verification certificate to an account partner
Export the public key portion of a token-signing certificate
Remove a verification certificate