Cryptographic Service Provider (CSP) Conversion Guide

Use this guide to convert the Cryptographic Service Provider (CSP) of third-party certificates to a SHA 2-enabled CSP via the PFX Convert Script to support SAML applications that require SHA 2 assertions.

For new SecureAuth IdP 9.1+ images, SecureAuth certificates are issued with the SHA 2-supported CSP out-of-the-box; and pre-9.1 SecureAuth IdP appliances' certificates are converted during the upgrade process. The PFX Convert Script Steps below are specifically for third-party (non-SecureAuth issued) certificates.

Once converted, the certificates can be used for both SHA 1 and SHA 2 SAML assertions.

1. Have a third-party certificate to use for SAML assertions

2. Ensure that the certificate's private key is exportable

3. Have access to the SecureAuth IdP appliance and folders

4. Configure a realm in the Web Admin for a SAML assertion with a Service Provider (SP) that requires / supports SHA-2 assertions

1. On the SecureAuth IdP appliance, locate the PFX Convert script at D:\<Updater Path>\MFCApp_Bin\Extras\pfxconvert

2. Open the pfxconvert.ps1 file and replace the SecureAuth certificate Issuer to the Issuer value of the third-party certificate (line 1)

$issuer = "CN=SecureAuth G3 Intermediate Certificate Authority*"

3. Save the file

4. In the same folder, run the pfxconvert.cmd as administrator

5. Once complete, the original certificate is deleted and the new, SHA-2 certificate is imported

6. Check that the certificate is converted by reviewing the Provider information, which reads Microsoft Enhanced RSA and AES Cryptographic Provider upon success

Use the following command to locate all certificates and to display information, including the Provider

certutil -store my