Updating the Specops Password Reset Server Certificate
Specops Password Reset Server service uses a self-signed certificate to encrypt communications from the Password Reset Web (IIS) components. If this certificate is expired or inadvertently deleted, the Password Reset server may not be able to start.
Identify the Certificate Currently In Use
In order to check the certificate currently in use today, open the Reset Server configuration file C:\Program Files\Specopssoft\Specops Password Reset\Server\Specopssoft.SpecopsPasswordReset.Server.exe.config. Look for the serviceCertificate XML tag and its findValue parameter, e.g.
The value of this parameter indicates the thumbprint of the certificate currently in use. Check the computer account personal certificate store for the corresponding certificate. To find the certificate via an admin PowerShell:
dir cert:\localmachine\my\<certificatethumbprint> | fl
Substituting <certificatethumbprint> with the value from the config file, e.g.
The certificate subject should match the FQDN of the server; the certificate dates should also be valid for the current date. If the certificate has expired it must be renewed. If no results are returned, this indicates the certificate no longer exists and must be replaced.
Install A New Certificate
A new self-signed certificate can be created through any means available (e.g. an AD-integrated Certificate Authority); our only requirement is that the certificate subject matches the FQDN of the Password Reset server. The following PowerShell command creates the appropriate certificate good for five years:
New-SelfSignedCertificate -Subject "$env:computername.$env:userdnsdomain" -NotAfter (Get-Date).AddYears(5)
The command will create the cert and output the thumbprint. Next, open notepad as an administrator and edit the config file C:\Program Files\Specopssoft\Specops Password Reset\Server\Specopssoft.SpecopsPasswordReset.Server.exe.config to update it with the new certificate thumbprint.
Warning: be sure to back up the configuration file before making any changes.
Save the config file, then restart the Specops Password Reset Server service for the change to take effect.