Article 8

Securing SharePoint Sites with Secure Sockets Layer

In this Article :

Setup SSL Using Domain Certificate
Setup SSL Using Self Signed Certificate
Setup SSL Using Commercial Certificate

Setup SSL in SharePoint 2013 Using Domain Certificate

n this Article , you will learn how to setup Secure Sockets Layer (SSL) using different types of certificates. Most people get confused as to why SSL is needed in the first place. Especially when you are providing consulting services to a big corporate client and you tell them that to setup an Extranet, SSL is recommended and their first question always is “Why SSL?” The primary reason why SSL is used is to keep sensitive information encrypted. Only the intended recipient should be able to read the information transmitted over the Internet. In the Intranet environment, where you computers are behind a firewall, SSL is not required but in the Extranet and Internet environments, where your information travels outside of your firewall boundaries, SSL is definitely needed especially if the information is sensitive like financial or confidential information. Information when transmitted over the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can sniff this information if it is not encrypted with an SSL certificate. SSL certificate encrypts the information and renders it unreadable to everyone except for the server you are sending the information to. This protects the information from hackers.

In addition to encryption, a proper SSL certificate also provides authentication. SSL certificates are issued by a server. If you are purchasing a certificate from a third party company, they usually verify your information before issuing you a certificate. You also get a trust seal from the provider that instills trust in your customers and partners. SSL also protects you from phishing attacks. Hackers are unable to impersonate your site because they don’t have a proper SSL certificate.

I can go on and on talking about the benefits and advantages of using SSL with your SharePoint sites but that’s not the objective of this Article . Briefly speaking, if you intend to open up your sites to the public, either through Extranet or through Internet, it is important that you secure your sites with an SSL certificate and that’s exactly what this Article will teach you. In the later Article , I will teach you how to setup an Extranet site in SharePoint. This Article is a pre-requisite if you are interested in learning how to setup an Extranet site.

This Article is divided into three sections. In the first section, you will learn how to setup an SSL using a domain certificate. In the second section, you will learn how to setup an SSL using self-signed certificate and in the final section, you will learn how to setup an SSL using a commercial third party SSL certificate.

Setup SSL Using a Domain Certificate

In this first section, you will first learn how to create a domain certificate. Please note, some or all of these steps may be repeated in the subsequent sections also but that is only for your convenience so that you don’t have to go back and forth looking for pertinent information.

To generate a domain certificate, you must have Active Directory Certificate Services running.

1. Open Server Manager (All Programs > Administrative Tools > Server Manager).

2. Expand Roles node and see if certificate services role is installed. If not, then install it first using the steps below.

3. Click Roles. Under Roles Summary header, you will see Add Roles link on the right, click it.

4. Click Next.

5. Check Active Directory Certificate Services role and click Next.

6. Click Next again.

7. Certification Authority will already be selected. Select the following services:

a. Certification Authority Web Enrollment

b. Online Responder

c. Certificate Enrollment Policy Web Service

8. Click Next.

9. Keep Enterprise selected and click Next.

10. Keep Root CA selected and click Next.

11. Keep Create a new private key selected and click Next.

12. Select RSA#Microsoft Software Key Storage Provider in the cryptographic service provider (CSP). Change key character length from 2048 to 1024 unless this is production environment and you want to use strong keys. By default, SHA1 is selected in hash algorithm, keep it selected and click Next.

13. Keep the default values selected and click Next. Common name for CA is the name that you will see in certification authority while generating domain certificate.

Figure 8-1: Configure CA Name

14. Keep default value selected and click Next. Default validity period is 5 years.

15. Keep default values selected and click Next. These are certificate database and log locations.

16. Keep default option Windows Integrated Authentication selected and click Next.

17. Click Install.

18. Now you have it installed, next step is to create a domain certificate but wait a minute. If your domain controller is on a separate machine then there is one step left. You have to import certificate to the SharePoint machine. The certificate is located in the following folder and has a .crt extension.

C:\Windows\System32\CertSrv\CertEnroll

If you ever renamed your server, you will see multiple .crt files. Make sure you pick the one that is current. For example, if your server’s FQDN is walisystems.com and server name is SP2013 then the certificate file name will be sp2013.walisystems.com_walisystems-SP2013-CA.

Copy the file to the SharePoint machine and import it into Trusted Root Certification Authorities.

a. Click Start > Run and type mmc and click OK. MMC console will open.

b. From File, select Add/Remove Snap-in.

c. Select Certificates from available snap-ins and click Add >.

d. Select third option Computer account and click Next.

e. Choose Local Computer and click Finish.

f. Click Ok.

g. Expand Certificates (Local Computer) node.

h. Expand Trusted Root Certification Authorities and click Certificates folder.

i. Right-click Certificates folder and select All Tasks then select Import.

j. Browse to the certificate (.crt) file that you copied from the DNS machine. Click Next.

k. Select Automatically select the certificate store based on the type of certificate and leave default store selected. Click Next.

l. Click Finish.

m. You will get The import was successful message. Click Ok.

19. Now, let’s move to the next part which is creating a domain certificate. Open IIS.

20. Click on server name and under Actions on the right, click Create Domain Certificate.

21. Enter a friendly Common name for the certificate, for example, your server’s FQDN. Organization should contain your organization’s name or your server name. Organization Unit can be an abbreviation of your organization name or machine name. Enter City, State and select Country. Enter full state name, not the abbreviation. Click Next.

Figure 8-2: Create Certificate

22. Click Select button to select Certificate Authority. Select the one that you created above. If you are doing this first time then there will be only one authority listed there. Select it and click OK. Give a friendly name to the Online Certificate Authority, for example, WS_SP2013 and click Finish.

That’s it. Next you will bind the certificate to your site.

Bind Certificate to Your Site

23. Open IIS.

24. Click server name. Expand Sites node.

25. Click site name that you will bind to the SSL certificate.

26. On the right, under Actions, click Bindings.

27. Click Add.

28. In Type, select https.

29. Keep 443 in the Port. This is default port used for SSL.

30. In SSL Certificate, select the certificate you just created. Look for the common name, for example, WS_SP2013. Click OK. That’s it.

To test SSL setup, open the site in browser. In the address bar, click the lock sign to check validity of the certificate. If you want to see the certificate, click View Certificates link at the bottom of the notification. In case you see error message, click Certificate Error (that appears instead of a golden lock). Click View Certificates. Click Install Certificate button to install the certificate. Click Ok to close the certificate window. Refresh your browser and now you will see a lock.