HOW TO: Renew the certificate used by the Azure Back Sync in the Active Roles Synchronization Service (4379660)

The Azure Back Sync in the Active Roles Synchronization Service automatically creates a certificate which will expire in two years. After two years have passed, how is it possible to create and use a new certificate?

Currently, replacing the certificate used by the Azure Back Sync is a manual process.

Enhancement ID 496750 has been created so that the Active Roles Synchronization Service automatically renews the required certificate when needed.

WORKAROUND

1. On the Active Roles Synchronization Service host, as a local administrator, run the below PowerShell script in an elevated PowerShell session:

$params = @{
    Type = 'Custom'
    Subject = 'CN=ActiveRoles_AutocreatedAzureBackSyncApp_V2'
    FriendlyName = 'ActiveRoles_AutocreatedAzureBackSyncApp_V2_key'
    KeyUsage = 'DigitalSignature'
    KeyAlgorithm = 'RSA'
    KeyLength = 2048
    CertStoreLocation = 'Cert:\LocalMachine\My'
    NotAfter = (Get-Date).AddYears(2)
}
New-SelfSignedCertificate @params

2. Note the certificate Thumbprint that is generated here, it will be needed later.
3. On the Active Roles Synchronization Service host, run mmc.exe
4. Select File | Add/Remove Snap-in... | Certificates | Computer account then expand Personal | Certificates
5. Find the newly created certificate (the expiration date will be two years from today's date). Right-click and choose All Tasks | Export and then export to a .cer file.
6. Log into the Azure/Entra ID portal as a Global Administrator or Application Administrator
7. Under App Registrations, find the application named ActiveRoles_AutocreatedAzureBackSyncApp_V2
8. Expand Manage | Certificate and secrets
9. Upload the .cer file created in Step 4 above to the application
10. Restart the Active Roles Synchronization Service
11. Open the Active Roles Synchronization Service Console. Under Connections, find the AutoCreated_AzureADConnectorForBackSyncWorkFlow Connector and select Connection Settings
12. Update the Certificate thumbprint with the thumbprint value noted in Step 2 above.
13. Save and test the Azure Back Sync.

STATUS

An Enhancement Request has been created to integrate this functionality into Active Roles.

Product Management will evaluate the request and this feature may become available in a future release of the product.

There are no guarantees that this specific enhancement request will be implemented in a future release.

For more information regarding our Enhancement Request policy, refer to our Global Support Guide on the Support Portal at: https://support.oneidentity.com/essentials/support-guide/