SharePoint 2010: Installing Your SSL Certificate

SharePoint 2010

Microsoft SharePoint 2010 does not include a GUI for installing the SSL Certificate. Because SharePoint 2010 is designed to run on Microsoft IIS 7, you can use IIS. If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see Microsoft SharePoint 2010: SSL Certificate CSR Creation Instructions.

The SharePoint SSL Certificate installation process consists of three steps:

  1. Installing the SSL Certificate

  2. Assigning or binding the certificate to your SharePoint site

    See Using IIS 7 to Assign the Certificate to the SharePoint Website.

  3. Installing the root certificate

    See Using SharePoint 2010 to Install the Root Certificate.

SharePoint 2010: How To Install Your SSL Certificate

Using IIS 7 to Install the SSL Certificate

After ÃÛÌÒTV validates and issues your SSL Certificate, you can use Microsoft IIS 7 to install your SSL Certificate to the server where you generated the CSR, and then, bind it the SharePoint site.

  1. Save your certificate file (your_domain_name.cer) to the server from which the CSR was generated.

  2. Open Internet Information Services (IIS) Manager.

    On the Windows Start menu, click All Programs > Administrative Tools > Internet Information Services (IIS) Manager.

  3. In Internet Information Services (IIS) Manager, under Connections, click your server¡¯s Hostname.

    IIS 7 Server Certificates

  4. In the center menu, in the IIS section, double-click the Server Certificates icon.

  5. In the Actions menu, click Complete Certificate Request to open the Complete Request Certificate wizard.

    IIS 7 Complete Request Certificate

  6. On the Specify Certificate Authority Response page, under File name containing the certification authority¡¯s response, click ¡­ to browse to the .cer certificate file that ÃÛÌÒTV sent you, select the file, and then, click Open.

  7. Next, in the Friendly name box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

    We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example: yoursite-ÃÛÌÒTV-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

  8. To install the certificate to the server, click OK.

    Known Issue in IIS 7:

    A known issue exists in IIS 7 where the following error message is displayed: "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created." You may also receive a message stating: "ASN1 bad tag value met".

    Solution:

    If this is the server where you generated the CSR, in most cases, the certificate is actually installed. Simply cancel the dialog window and press F5 to refresh the list of server certificates. The new certificate should now be in the list; continue with the next step.

    If the new certificate is not in the list, you need to reissue your certificate as follows:

    1. Create a new CSR.
      See Microsoft SharePoint 2010: SSL Certificate CSR Creation Instructions.

    2. After creating a new CSR, login to the ÃÛÌÒTV® Management Console (your account). Then, next to your certificate, click Re-Key Your Certificate.

  9. Once you have installed the SSL Certificate successfully to the server, you still need use IIS to assign or bind that certificate to the SharePoint site.

Using IIS 7 to Assign the Certificate to the SharePoint Website

  1. In Internet Information Services (IIS) Manager, under Connections, expand your server¡¯s name, expand Sites, and then select the SharePoint site.

    iis 7 manager

  2. In the Actions menu, under Edit Site, click Bindings.

  3. In the Site Binding window, click Add.

  4. In the Add Site Bindings window, enter the following information:

    Type: In the drop-down list, select https.
     
    IP address: In the drop-down list, select All unassigned.
    If your server has multiple IP addresses, select the one that applies.
     
    Port: Enter 443, unless you are using a non-standard port for SSL traffic.
     
    SSL certificate: In the drop-down list, select the friendly name of the certificate that you just installed.

    IIS 7 add site binding window

  5. When you are finished, click OK.

  6. Now you need to install the root certificate on your SharePoint server.

Using SharePoint 2010 to Install the Root Certificate

  1. Log into the ÃÛÌÒTV® Management Console (your account).

  2. In the ÃÛÌÒTV® Management Console, under Order, click the order number for the SSL Certificate that you just installed.

  3. On the My Orders tab, click Download.

    digicert management console

  4. In the Download Certificate section, click the Download or Copy/Paste Individual Certificates link.

    digicert management console

  5. Next, click the ROOT CERTIFICATE icon.

    digicert management console

  6. In the Opening TrustedRoot.crt window, click Save File to save the file to your SharePoint server.

    Opening TrustedRoot.crt window

  7. Next, open SharePoint 2010 Central Administration.

    On the Windows Start menu, click All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Central Administration.

  8. In SharePoint 2010 Central Administration, in the menu on the left, click Security and then, under General Security, click Manage trust.

    sharepoint 2010 central administration

  9. On the Trust Relationships page, in the menu at the top of the page, click New.

    sharepoint 2010 central administration

  10. In the Establish Trust Relationship window, in the General Setting section, in the Name box, type the name that you want to give the SSL Certificate.

    sharepoint 2010 central administration

  11. In the Root Certificate for the trust relationship section, click Choose File to browse for and select the root certificate (i.e. TrustedRoot.crt).

  12. In the Establish Trust Relationship window, click OK.

  13. If the certificate is installed successfully, it should be listed on the Trust Relationships page.

    sharepoint 2010 central administration

Test Your Installation

If your web site is publicly accessible, our ÃÛÌÒTV® SSL Installation Diagnostics Tool can help you diagnose common problems.

If you run into certificate errors, try repairing your certificate trust errors using ÃÛÌÒTV® Certificate Utility for Windows. If this does not fix the errors contact support.

Troubleshooting:

Error Message: ¡°The Root Certificate that was just selected is invalid¡±

If you receive this error message, do the following:

  1. Copy the TrustedRoot.crt to the root of your drive (i.e. C:\).

  2. Open SharePoint 2010 Management Shell.

    On the Windows Start menu, click All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell.

  3. In the SharePoint 2010 Management Shell command prompt, edit the following command and provide a friendly name and the full path to the certificate file:

    New-SPTrustedRootAuthority -Name "FriendlyName" -Certificate C:\<path to certificate>

    For example:

    New-SPTrustedRootAuthority -Name "DigicertTrustedRoot" -Certificate C:\TrustedRoot.crt

    Note:     The friendly name is the same name that you used to establish a trust relationship to the root certificate.

    sharepoint 2010 central administration

  4. If the command runs successfully, the root certificate should be listed on the Trust Relationships page.

  5. If the command fails:

    • Check to make sure that everything in the command is spelled correctly and has the correct formatting.

    • Check to make sure that your root certificate is located in the path specified in the command.

    • Check to make sure that the path specified in the command is the path location where the root certificate is actually located.

    • Check to make sure that the friendly name matches the trust relationship name of the root certificate.