# Service Provider Signing Certificate

You may wish to create a resource mapping (if used) prior to carrying out this step, although this information can be added at a later date.

### Adding a Signing Certificate

1. Select ≡ > **Admin** > **Integration**.
2. In the Explorer pane, under **Single Sign On**, select **Signing Certificates**.
3. Select the **New** icon.
4. The Single Sign On Identity Provider Details window appears.Complete the details.

<table><thead><tr><th width="205">Name</th><th>Add a Display Name for the Signing Certificate</th></tr></thead><tbody><tr><td>Certificate</td><td>Choose a Certificate to make this available to your Service Provider (The Certificate dropdown field shows all certificates installed in the Local Machine store of the ASM web server)</td></tr></tbody></table>

Select the **Save** icon to save the details.

{% hint style="warning" %}
Certificates must have a private key and the IIS Application Pool must have full control of the certificate. Permissions for the certificate can be changed using **Manage Private Keys**.
{% endhint %}

### If you are using the SHA-256 Secure Hash Algorithm (a Requirement for Azure AFDS for example), ensure that :

* the certificate has been marked as exportable when it is installed
* the certificate contains the SHA-256 Signature Algorithm. You can find this information by viewing the certificate properties

{% hint style="warning" %}
An SHA256 certificate can be used to create SHA1 and SHA256 signatures. A SHA1 certificate cannot be used to create SHA256 signatures.
{% endhint %}