What I am hoping to achieve in this post is a friendly guide for SharePoint admins to install their certificates and set their sites to https.
I found that all of the content required to do this is covered in various blogs but no where could I find a friendly guide covering the end to end process, so here is my attempt.
Firstly you need to install the certificate.
I have tried installing the certificate file straight into the MMC console, but the certificate file never shows up in IIS. I think this is to do with the way the certificate is created and I have the below way of getting it to work.
In this example I will use http://test.matt.com as my fictional pre existing web application.
You can specify to create a Web Application as SSL from the off and you should install the certificates before creating the Web Application if you are starting off with SSL rather than configuring an existing SharePoint site.
With most of the clients I have worked with they have their certificates issued for them by a dedicated team or person. So I am assuming you have the below files for your sites certificate.
1. test.matt.com.csr (Certificate signing request)
2. test.matt.com.key (Key file)
3. test.matt.com.cer (Certificate file)
4. group.cer (Root Certificate file)
On a machine with openssl installed browse to C:\Program Files (x86)\GnuWin32\bin
Copy the certificate attributes to bin location (.cer/.csr/.key).
Copy the Group.cer into C:\Program Files (x86)\GnuWin32\bin from this location
Firstly we need to generate a .pem file.
If you do not have a certificate file you can generate a delf signed one:
x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can then create the .pem from that cert:
x509 -in plexus/plexus.dev.echonet.crt -out plexus/plexus.dev.echonet.pem
Open the openssl application and run: x509 -inform der -in test.matt.com.cer -out test.matt.com.pem
A .pem file should appear in the bin directory.
Open the openssl application and run: pkcs12 -export -out test.matt.com.pfx -inkey test.matt.com.key -in test.matt.com.pem -certfile Group.cer
Once prompted set the password (keep this safe you will need this to install the certificate).
Open the certificate console by typing MMC in to the search.
Import the .pfx file within the Personal certificates store
Enter your password.
NOTE: Be sure to tick the box
Your certificate should now be visible in the personal certificate store.
Now to the IIS configuration.
Within the IIS settings for the server, click on 'server certificates'.
Your installed certificate should be visible.
Open the bindings for your SharePoint site.
NOTE: If you require to have http and https configured so you could in theory use both then add a new binding. Alternatively if you only require to use https then just edit the current binding and change the settings as detailed below.
Type = https
Host Name = Use the same as the http binding (e.g matt.test.com)
IP address = Use the same as the http binding
Port = 443
Certificate = Select your newly installed certificate
OK your changes.
That is all the required configuration for the IIS site, perform this on every SharePoint server that hosts the SharePoint IIS sites.
You will now need to edit the SharePoint alternate access mapping for the web application.
NOTE: If you require to browse the site by http or https or even just wish to leave both configured as an option then add a new AAM for http by following the next step. If you only want to use https then skip the next step.
Save and then click on 'Add Internal URLs'
Add a new http:// address exactly the same as the original before we changed to https://
The original default address must be changed to https:// you cannot just add a new https:// address as you want the default URL to be using https://
Now do an IIS reset
You should now be able to browse your https site!
If you configured both http and https alternate access mappings you can access your site in both http and https. You may wish to leave this configured for future but you can force all traffic over https if you require.
Open the SSL settings for the site.
Select require SSL and set client certificates to require.
Do another IIS reset for this to be applied properly or you will receive errors.
You will now get a 404 forbidden if you try to use http.
Https will work!
No comments:
Post a Comment