Once the Records Management STS is created, an X.509 certificate is registered in IIS that is responsible for signing issued tokens, which ultimately ensures that Claims-Based Security is secure.
Because the out-of-the-box signing certificate that is used is common to all installations of Records Management, you should deploy your own certificate specific to your environment by performing the following steps on each of the Web Servers that will be hosting the Manager Web.
Obtain an X.509 certificate for token signing.
There are several ways to obtain a X.509 certificate for token signing.
Commercial Certification Authority – You can purchase an X.509 certificate from a commercial certification authority.
Generate a Self-Signed Certificate – You can generate your own self-signed certificate by following the steps at the following link: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Once you have generated a certificate, open IIS and select Certificates.
Select your newly generated certificate and choose Export from the Actions Pane.
On each server hosting the Manager Web, open IIS and select Certificates.
Select Import from the Actions Pane and choose the certificate that you previously exported.
On each server hosting the Manager Web, execute the following PowerShell command:
Set-RecordsManagerStsWeb -SiteName "Records Management STS" –SigningCertificateSubjectName CN=<YourSubjectName>POWERSHELL