Change a user's certificate

You can change or renew certificates required for logon by assigning a new certificate in the SafeGuard Management Center. The certificate is assigned as a standby certificate alongside the existing certificate. By logging on with the new certificate, the user changes the certificate on the endpoint.

Note: If users have lost their tokens or tokens have been compromised, do not exchange tokens by assigning new certificates as described here. Otherwise problems may occur. For example, the old token certificate may still be valid for Windows logon. As long as the old certificate is still valid, logon to Windows is still possible and the computer can be unlocked. Instead, block the token to prevent logon.
Standby certificates can be used in the following cases:
  • Change (cryptographic) token generated certificates.
  • Switch from auto-generated certificates to token-generated certificates.
  • Switch from user name/password authentication to cryptographic token (Kerberos) authentication.


  • The new token is issued.

  • Only one certificate is assigned to the user.

  • You have Full access rights for the relevant user.

To change a user's certificate for token logon:

  1. In the SafeGuard Management Center, click Users and Computers.
  2. Plug the token into the USB interface.

    SafeGuard Enterprise reads in the token.

  3. Select the user for whom you want to change the certificate and open the Certificate tab in the work area on the right-hand side.
  4. On the toolbar, click the appropriate icon for the action you want to perform.
  5. Select the relevant certificate and enter the token's PIN.
  6. Click OK.
  7. Provide the user with the new token.

The certificate is assigned to the user as a standby certificate. This is indicated by a tick in the Standby column of the user's Certificates tab.

After synchronization between the endpoint and the SafeGuard Enterprise Server, the status dialog on the endpoint indicates that it is Ready for certificate change.

The user now has to initiate a certificate change on the endpoint computer. For further information, see the SafeGuard Enterprise user help.

After the user has changed the certificate on the endpoint the certificate is also renewed on the SafeGuard Enterprise Server during the next synchronization. This removes the old token from the user's Certificates tab in the SafeGuard Management Center. The new token becomes the standard token for the user.

Note: In the SafeGuard Management Center, both certificates can be deleted separately. If only a standby certificate is available, the next certificate is assigned as the standard certificate.