Be sure that all of the Prerequisites have been met before installing and running the ACRU

For any questions regarding the Prerequisites as they pertain to the existing environment, please contact SecureAuth Support


Use this guide to install, run (update), and confirm the actions of the SecureAuth IdP Appliance Certificate Renewal Utility (ACRU).

The ACRU tool is for use on SecureAuth IdP pre-8.1 appliances to update the Operating System (OS) to support SecureAuth's new SHA-2 Cloud Services' infrastructure. ACRU updates all of the certificate information to reflect the SHA-2 hashing algorithm and updates the URLs used by the appliance to communicate with the SecureAuth cloud services.


1. If SecureAuth IdP is integrated with any VPN or Gateway (Juniper, Cisco, Citrix, F5) using a vendor-specific thick client and a native X.509 personal certificate, then upload the SHA-2 SecureAuth Public CA Certificates to the VPN or Gateway, and all client workstations before running the ACRU

If no VPNs or Gateways are integrated with SecureAuth IdP, then the ACRU can be utilized immediately

 Options for Installation of SHA-2 Certificates on End-user Systems
  • SecureAuth recommends that the CA certificates be deployed via an Active Directory Group Policy to ensure that most if not all client systems have the required CA certificates
  • Also available is a Certificates Installer, which can be downloaded and executed on the end-user's Windows system, to install the certificates in the proper certificate stores
  • Manual installation of the certificates can be accomplished by end-users downloading the individual Root and Intermediate certificate CRT files located on the SecureAuth CA Public Certificates page

2. If any Firewalls are in place, open the following ports to enable access the necessary IP Addresses and URLs:

  • TCP 80 and 443 - IP:; URL: /
  • TCP 80 and 443 - IP:; URL: /
  • TCP 80 and 443 - IP: URL: /
  • TCP 80 and 443 - IP:; URL: /
  • TCP 80 and 443 - IP:; URL: /
  • TCP 80 and 443 - IP:; URL: /
  • TCP 443 - See SecureAuth cloud services IP Addresses; URL:
  • TCP 443 - See SecureAuth cloud services IP Addresses; URL:

3. Download the SecureAuth IdP Appliance Certificate Renewal Utility

  • Filename: SecureAuthApplianceCertificateRenewalUtility.msi
  • Filesize: 856 KB (876,544 bytes)
  • MD5 hashc15520a622ae207e07be3f67a9ce4535
ACRU Steps
ACRU Installation


1. Locate and open (double-click) the downloaded ACRU file, SecureAuthApplianceCertificateRenewalUtility.msi

Open File


2. Click Run to open the file

ACRU Installation Wizard

3. Once the ACRU Installation Wizard opens, click Next

4. Leave the values as default, and click Next

5. Click Next to confirm the installation

6. Click Close to complete the installation



7. Once the ACRU Tool is installed, locate it in Drive-C -> Program Files (x86) -> SecureAuth -> ApplianceCertRenewalUtility

8. Open (double-click) the SecureAuth.Tool.ApplianceCertRenewUtility.exe file

ACRU Update Wizard

9. Once the ACRU Update Wizard opens, leave the configurations as default and click Start

Select Through importing a PFX file only if explicitly instructed to do so by SecureAuth

If a proxy is configured on the SecureAuth IdP appliance, click Proxy Settings first

Proxy Settings

1. Check Use a proxy server for your internet connection

2. Provide the Proxy Server Address, Proxy Server Port, Proxy Username, and Proxy Password

3. Click Close

A Check SecureAuth file sync windows service prompt may appear; if so, ensure that all file sync windows services are stopped and click Yes

 Example Image



10. Wait for the ACRU Tool to update

A Reset IIS prompt may appear; if so, click Yes to reset IIS

 Example Image

ACRU Update Wizard Complete


11. Once the ACRU updates are complete, click Close

SecureAuth IdP Web Admin


12. Start Internet Explorer and click the SecureAuth Admin bookmark

13. On the initial screen, click Update WebConfig

Update WebConfig


14. Click Update and see the Results listed and Update Complete when it is finished

For SecureAuth IdP versions 8.0.0 and earlier, the Transaction (Trx) Log URL must be modified to avoid license errors

See below for more information

Confirm Changes

Once the installation and update has been completed, confirm that the changes have been applied to the appliance's OS

Certificates Console


In the Certificates Console, open (double-click) the SecureAuth G3 certificate

Old SHA-1 certificates may still be present in the Certificates Console, so be sure to select the correct one

Certificate Details


In the Details section, ensure that the Signature algorithm is sha256RSA, and that the Signature hash algorithm is sha256

SecureAuth IdP Web Admin - System Info


In the SecureAuth IdP Web Admin, in the System Info tab, the URLs in the WSE 3.0 / WCF Configuration section are updated to properly communicate with the SecureAuth cloud services

For SecureAuth IdP versions 8.0.0 and earlier, in the Admin Realm (SecureAuth0), set the Trx Log Service URL to if True is selected from the Trx Use WSE 3.0 dropdown

Set the Trx Log Service URL to if False is selected from the Trx Use WSE 3.0 dropdown

If a proxy is already configured on the appliance, the WSE 3.0 dropdowns and URLs are updated accordingly

 Example Image

Refer to Web Proxy Server Configuration Guide for more information

SecureAuth recommends to select False from the Trx Use WSE 3.0 dropdown, and set the Trx Log Service URL to to utilize HTTPS encryption rather than Message Level Encryption (msg)

 Example Image