You need to export the certificates twice, once with a public key included and once with just a private key.
Procedure
- Start Microsoft Management Console (MMC).
- Go to .
- Select Certificates and click Add.
- Select Computer account and click Next.
- Select Local Computer and click Finish.
- Click OK to close Add/Remove Snap-in...
- Select the node .
- Select the Token Issuer certificate and choose and in the context menu:
- In the Certificate Export Wizard, click Next.
- Select Yes, export the private key and click Next.
- Leave the Export File Format default settings unchanged and click Next.
- Enter
tridion twice for Password and click Next.
- Browse to a location on the file system and enter a File name, for example Token Issuer private.pfx, and click Next.
- Click Finish to complete the export.
The Certificate Export Wizard confirms the export was successful and closes the dialog.
- Select the Token Issuer certificate again and choose and in the context menu:
- In the Certificate Export Wizard, click Next.
- Select No, do not export the private key and click Next.
- Leave the Export File Format default settings unchanged (note these will be different from the previous export) and click Next.
- Browse to a location on the file system and enter a File name, for example Token Issuer public.cer, and click Next.
- Click Finish to complete the export.
The Certificate Export Wizard confirms the export was successful and closes the dialog.
- Add the Token Issuer certificate to trusted certificates:
- Open the node .
- Select the certificate Token Issuer certificate in the list and choose Copy in the context menu.
- Select the node and select Paste in the context menu.
- Grant permissions for the Token Issuer certificate:
- Open the node .
- Select the certificate Token Issuer certificate in the list and choose .
- Grant read access to the following users:
- The Application Pool user under which the Content Manager Explorer Web site is running: to find out the user, open IIS and go to (the default user is Network Service)
- The Tridion Content Manager Service Host user: to find out the user, open Component Services and go to (the default user is the Local System account)
- Repeat the procedure to export public and private versions of the Core Service certificate and grant permissions for the certificate.