GTconsult UpdatingCer1

With regards to having tighter security in a network and ensuring no one can directly access your servers WAP for SharePoint is extremely important. A very common setup is using a Web Application Proxy (WAP) server to forward https onto the relevant servers. We also have this setup, and our GTconsult wildcard certificate was about to expire, because of this, we needed to update the certificate on the relevant servers, but also, on the WAP server.

I am going to run through the steps taken to complete this.

  1. Log onto the WAP server.
  2. Add the new certificate to the server. Make sure this is added to the personal certificate store for the computer account.




3. Find the ThumbPrint for the certificate by viewing its details

4. All of the publishing rules need to be updated with the thumbprint of the new certificate. This can be done by either deleting the old rules and recreating them with the new certificate thumbprint specified, or the rules can be updated with the new thumbprint, for example:

Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “00112233445566778899aabbccddeeff00112233”

Where (you guessed it!) 00112233445566778899aabbccddeeff00112233 should be replaced with the thumbprint you found earlier and ‘WebAppPublishingRuleName’ should be replaced with the name of the rule as it is shown in the Remote Access Console.


5. Restart the server, or the ADFS and Web Application Proxy services to complete the configuration. 

Test that all of the previously published rules function correctly and provide the new certificate to the computer from which you are making a connection. If you need to check the certificate assigned to a specific publishing rule, the following PowerShell will show all of the properties for the publishing rule:

Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | fl

By John Torrance
by Adrian Steyn

Apply to Work @ GT



Leave a Reply

Your email address will not be published. Required fields are marked *

*