Skip to main content

Cryptographic Service Provider (CSP) Conversion Guide


Use this guide to convert the Cryptographic Service Provider (CSP) of third-party certificates to a SHA 2-enabled CSP via the PFX Convert Script to support SAML applications that require SHA 2 assertions.

For new SecureAuth IdP 9.1+ images, SecureAuth certificates are issued with the SHA 2-supported CSP out-of-the-box; and pre-9.1 SecureAuth IdP appliances' certificates are converted during the upgrade process. The PFX Convert Script Steps below are specifically for third-party (non-SecureAuth issued) certificates.

Once converted, the certificates can be used for both SHA 1 and SHA 2 SAML assertions.


1. Have a third-party certificate to use for SAML assertions

2. Ensure that the certificate's private key is exportable


If the key is not exportable, then reimport the certificate from the provider and enable the private key to be exportable

3. Have access to the SecureAuth IdP appliance and folders

4. Configure a realm in the Web Admin for a SAML assertion with a Service Provider (SP) that requires / supports SHA-2 assertions

PFX Convert Script Steps

1. On the SecureAuth IdP appliance, locate the PFX Convert script at D:\<Updater Path>\MFCApp_Bin\Extras\pfxconvert

2. Open the pfxconvert.ps1 file and replace the SecureAuth certificate Issuer to the Issuer value of the third-party certificate (line 1)

$issuer = "CN=SecureAuth G3 Intermediate Certificate Authority*"


Be sure to include the asterisk* after the Issuer name and before the closing quotation mark

3. Save the file

4. In the same folder, run the pfxconvert.cmd as administrator

5. Once complete, the original certificate is deleted and the new, SHA-2 certificate is imported


If the new certificate is not imported after the command is run, then locate it at D:\MFCApp_Bin\SAcerts and import the certificate manually

6. Check that the certificate is converted by reviewing the Provider information, which reads Microsoft Enhanced RSA and AES Cryptographic Provider upon success

Use the following command to locate all certificates and to display information, including the Provider

certutil -store my

SecureAuth IdP Web Admin Configuration Steps


Include these configuration steps in the complete SP integration steps

NOTE: The option to assert via SHA 2 is available for SecureAuth IdP 9.1+

Post Authentication

1. In the SAML Assertion / WS Federation section, select SHA2 from the SAML Signing Algorithm dropdown

2. Ensure that the Signing Cert Serial Number is that of the converted certificate


3. Click Save