After replacing the client CA with a different one, RAEP functionality will be broken, since the calls to VeridiumID server will be performed using a friend certificate from the old client CA. In order to fix this, you must perform the following steps:
-
Obtain a new friend certificate from the VeridiumID server. For this, access the Veridium manager, then Settings->Certificates->Service Credentials and click on Create Custom Service Certificate:
-
Enter a Device ID, select AD as integration and click on Create:
-
Connect via Remote Desktop to the server where the RAEP resides. Copy also the previously created certificate to this server. Access Veridium RAEP Configuration utility - click on Start->VeridiumID → VeridiumID RAEP Config:
-
In General Settings, under Custom Service Certificate click on Import new:
-
Browse and select the certificate, type in the password, then click on Import:
-
Connect via Remote desktop to the client machine where you have the credential provider installed and open the local machine certificate store (certlm.msc).
-
Identify the machine certificate created from the OLD client ca. Its friendly name should be VeridiumID Device Certificate:
-
Delete this certificate, then restart the BopsLogon service. This should force the credential provider to obtain a new machine certificate from the new client CA.
-
Lock the machine and test the credential provider.