How to change expired certificate

The certificate for OAuth2 authorization will always have a date of expiration. If you are past the date, the certificate will show as Expired in NavSherpa Setup and all your SharePoint connections using it will stop working.

To help with this you can set an e-mail in the Notifications e-mail field.

That way you will get notifications about NavSherpa errors – and in case of certificate you will get an e-mail when the certificate enters the Expiring status (about a month before actual expiration).

When you need to change a certificate, you can do it in two ways:

Click the assist edit button in Certificate field in NavSherpa Setup and follow the instructions (create a new self-signed certificate or upload a new custom certificate).
Use a Setup Access Token action from any root SharePoint Site Setup Card to start the wizard that may help you with the process.

For SharePoint online upload the certificate public key (.cer) to all Microsoft Entra app registrations that you are using with NavSherpa. Check that the certificate Thumbprint in both Microsoft Entra and NavSherpa – it should match.

For SharePoint on-premise register the new certificate (.cer) on your SharePoint on-premise farm. Do it by running a following PowerShell script on your SharePoint server (change at least the path to the certificate).

Add-PSSnapin Microsoft.SharePoint.PowerShell -EA SilentlyContinue

#Get the certificate file and SharePoint tenant id

$publicCertPath = "<path-to-certificate>\navsherpa-certificate.cer"

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)

New-SPTrustedRootAuthority -Name "HNavSherpaCertificate" -Certificate $certificate

$realm = Get-SPAuthenticationRealm

# Change the specific issuer if needed

$specificIssuerId = "11111111-1111-1111-1111-111111111111"

$fullIssuerIdentifier = $specificIssuerId + '@' + $realm

$fullIssuerIdentifier

#Register the certificate on SP farm and restart the server

New-SPTrustedSecurityTokenIssuer -Name "NavSherpaCertificate" -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier -IsTrustBroker

iisreset

# Run these three lines for self-signed certificate only (they are not needed for certificate signed by an authority)

$serviceConfig = Get-SPSecurityTokenServiceConfig

$serviceConfig.AllowOAuthOverHttp = $true

$serviceConfig.Update()

If you changed the $specificIssuerId parameter, you need to change the value in the Specific Issuer ID field in NavSherpa access token wizard too.