Setup SSL In SharePoint 2013 Using Domain Certificate

Setup SSL In SharePoint 2013 Using Domain Certificate

Click here to download PDF

 

Setup SSL in SharePoint 2013 using commercial certificates



 

 Setup SSL in SharePoint 2013

 Download this article in PDF format

In this article you will learn how to setup SSL in SharePoint 2013. In my next article I will show you how to setup an Extranet in SharePoint 2013. Corporations usually setup SSL for Extranet sites. There are three ways to setup SSL.

1.       One way is to use a commercial SSL certificate. There are many sites that sell SSL certificates. For learning purposes you can sign up for a trial version (30 days). This is what this article will focus on today.

2.       Second way is to use a self-signed certificate that  you create in IIS.

3.       Third way is to set up your server to issue a certificate. This is what you need if you have custom DNS entries. Of course, you can also use first option (using commercial certificate) if you have DNS entries. If you use self-signed certificate and you have DNS entries, you get an error. More on this in another article!

So, let’s start. In this article, I will show you how to use Verisign certificate. Verisign is one the most popular companies that issue SSL certificates. We will sign up for a trial version.

1.       Before you sign up on Verisign site, we first need to create a certificate request. This will be needed when  you sign up at Verisign.

2.       Open IIS 7.0 (Start > Administrative Tools > Internet Information Services (IIS) Manager).

3.       Click on the server name.

4.       In IIS section, double-click Server Certificates.

5.       On the right side, under Actions, click Create Certificate Request… link.

6.       Request Certificate form will open. Fill out the fields. Enter your site name or URL in the  Common Name field. Enter your company name or abbreviation in Organization and Organizational Unit fields. Enter City and State. Enter full state name, abbreviation is not accepted. Select Country/region and click Next.

 

7.       Keep the default values selected. Cryptographic service provider should have Microsoft RSA SChannel Cryptographic Provider selected. If it’s a test or development environment, you can keep Bit length set to 1024. If it’s a production environment and you are using a purchased SSL key, then select Bit length according to your needs. What kind of security is needed depends on what kind of site you have created and what kind of content it has. For confidential content or for government sites, you may want to select at least 2048 in Bit length. Remember, the greater the bit length, the stronger the security. However, a greater bit length may decrease performance.

8.       Browse to a folder that will store the request and give a name to the file, for example, sslrequest. Click Finish.

9.       Go to Verisign site and sign up for a trial version. Here is the direct link for the signup page:

 

https://trustcenter.websecurity.symantec.com/process/retail/trial_product_selector;jsessionid=5FD77503659274771617C69ABB11A28D?uid=f0e5b79664a05e9b52b4844f12670f91&locale=VRSN_US

 

Enter technical contact details and click Continue. On the next screen, you will be asked to enter CSR. Open the request file that you had created, copy it and paste it into the box on the site. Once you have signed up, you will get an email with the key.

10.   There will be three links in the email. Click the first link to download  and install the Test Root CA Certificate. On the download page, there are different browsers listed. Select the browser that you will use for your site testing. Remember if you know you audience will use different browsers then you need to perform this step for every browser that your audience will be using. Steps for Internet Explorer are listed next.

11.   Click the link Download Secure Site Trial Root Certificate link. From the box, copy the certificate and save it in a text file with a .cer extension.

12.   Open Internet Explorer.

13.   Go to Tools > Internet Options > Content > Certificates.

14.   Click Import…. A wizard will open. Click Next.

15.   Browse to the location of the recently stored .cer file (step 11 above).

16.   Select the certificate and click Open.

17.   Click Next.

18.   Select Automatically select the certificate store based on the type of the certificate. Click Ok.

19.   Click Next then Finish.

20.   When prompted and asked if you wish to add the following certificate to the root store, click Yes.

21.   Second step listed in the email confuses many people. Basically this step is not required for latest IIS server. Users using IIS 5.0 or Higher servers do not need to download the intermediate CA as it is included with the SSL certificate upon issuance if they selected in the purchase as server vendor: Microsoft IIS 5.0 or higher. If you are not sure about the selection you made when requesting SSL certificate, go ahead and install it. It will not harm anything. To install it, perform same steps as listed above (Steps 11 – 19). Be sure to click second link in your email instead of first when performing step 11.

22.   Just like the second step, third step in the email is equally confusing. Don’t follow those steps, follow the ones listed below to install the certificate without hassles.

23.   Copy the certificate from your email. It will be at the bottom of the email. Be careful when copying. Copy whole text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste it into Notepad. There should be no white spaces or extra line breaks.  Save the file with .p7b extension. You can name the file as sslcert.p7b or whatever you prefer.

24.   Click Start > Run and type mmc and click OK. MMC console will open.

25.   From File, select Add/Remove Snap-in.

 

 

26.   Select Certificates from available snap-ins and click Add >.

27.   Select first option My user account and click Finish.

28.   Click OK.

29.   Expand Certificates – Current User node.

30.   Expand the Trusted Root Certification Authorities folder on the left and select the Certificates subfolder.

31.   Locate the following certificate:

a.       Issued To: VeriSign Class 3 Public Primary Certification Authority - G5

32.   Right-click the certificate and select Properties.

33.   In the Certificate purposes section, select Disable all purposes for this certificate. This is a pre-installed certificate and must be disabled before using new certificate from SSL.

 

34.   Click Apply then OK.

 

Install Certificate

 

35.   Finally, install the certificate. There are two ways to do it. One is through the IIS and the other is the MMC certificates console. I prefer the second way because you have to come to the MMC certificates console anyway to fix a problem if you opt to install the certificate through IIS. If you install the certificate through IIS, at the time of binding the certificate to your site, certificate will not show up in IIS and then you will have to come to the MMC certificates console to perform an additional step. So it’s better to go with the MMC route from the beginning.  There is another problem with the IIS method. You get the following error when you install the certificate through IIS.

 

 

Error Text: Cannot find the certificate request that is associated with this certificate file. A certificate request must be completed on the computer where the request was created.

 

36.   Open MMC console (Start > Run > Type MMC > Click OK).

37.   Certificates console will still be available because you added it in step 24 but if for some reason  you had to restart your machine or log out of it then you will have to add the console again. Follow steps 24 – 28 to add Certificates console. Expand Certificates – Current User node on the left.

38.   Expand Trusted Root Certification Authorities and click Certificates folder.

39.   Right-click Certificates folder and select All Tasks then select Import.

40.   Browse to the certificate (.p7b) file. Click Next.

41.   Select Place all certificates in the following store and leave default store selected. Click Next.

42.   Click Finish.

43.   You will get The import was successful message. Click Ok. You may also get following security warning.

 

Error Description: You are about to install a certificate from a certification authority (CA) claiming to represent: Verisign Trial Secure Server Root CA – G2.

If you get this security warning, click Yes to install the certificate.

44.   With MMC Certificates console still open, expand Personal folder on the left and right-click Certificates subfolder. Select All Tasks then select Import.

45.   Browse to certificate file (.p7b) and Click Next.

46.   Keep second option Place all certificates in the following store selected and keep Personal certificate selected as the default option. Click Next.

47.   Click Finish. You will get The import was successful message. Click Ok.

Bind Certificate to your site

 

48.   Finally, bind certificate to your site. Open IIS.

49.   Click server name. Expand Sites node.

50.   Click site name that you will bind to the SSL certificate.

51.   On the right, under Actions, click Bindings.

52.   Click Add.

53.   In Type, select https.

54.   Keep 443 in the Port. This is default port used for SSL.

55.   In SSL Certificate, select the certificate you just installed. Please note that if you don’t see new certificate in this drop down, then you probably missed steps 44 – 47 above. Click OK. That’s it.

Alternate Access Mappings

 

56.   Assuming you have a web application setup to work with SSL, configure Alternate Access Mappings to use site with SSL. Open Central Admin Site and click Application Management.

57.    Under Web Applications, click Configure alternate access mappings.

58.    You will notice you already have default site listed in the Default zone. To add new URL in the Intranet zone, click Add Internet URLs.

59.    From the Alternate Access Mapping Collection drop down, select correct application that you want to use for the AAM setting and then add URL in the text box labeled URL protocol, host and port, for example, https://www.walisystems.com. From the Zone dropdown, select Intranet.

60.    Click Save.

Now open site with https to test that everything works fine.

 

In the address bar, click the lock sign to check validity of the certificate. If you want to see the certificate, click View Certificates link at the bottom of the notification.

Download this article in PDF format

SharePoint 2013 - Setup multiple URLs in DNS and configure Alternate Access Mappings

In the previous article “SharePoint 2013 - Setup DNS and use FQDN to access SharePoint sites” you learned how to setup DNS and use FQDN to access sites in SharePoint 2013. In this article, you will learn how to add new URLs for different sites (departments). For example, you can setup a URL for your finance department, HR department, etc.

1.       Now you have setup the domain services, you can use multiple URLs to access SharePoint sites. As mentioned in previous article, one way to access your SharePoint site is to use the machine name in the URL, for example, http://sp2013 (sp2013 is the machine name). With domain setup on your server, you can now access same site using URL like http://sp2013.walisystems.com. Please note that walisystems.com is the FQDN. Now, the fun part starts. We will setup a new URL www.walisystems.com to access your root site collection.

2.       Open Server Manager. Expand Roles. Expand DNS. Expand MACHINENAME. Expand Forward Lookup Zones. Right-click FQDN and select New Host (A or AAAA)….

3.       In the Name box, enter www. In the IP address, enter IP.

 

To find the IP of your machine, go to command prompt and run IPCONFIG command. Note down IPv4 Address. This is the IP of your machine.

After entering the IP, click Add Host button. This will add a new A record.

 

4.       Now, we will create a new web application and site in SharePoint that will use this new URL. Open Central Administration site. Click Application Management. Click Manage web applications.

 

You will see there are two web applications (if it’s a new setup). One is your main site and the other central administration site.

5.       Click New button in the ribbon to create a new web application. A form will open.

 

6.       Enter 80 in the Port. Enter www.walisystems.com (Your A Record that you created above) in the Host Header. Keep all other default values and click OK.

 

7.       Next, create a new site collection. On the Application Management page, click Create Site Collections. From the Web Application drop down, select newly created web application.

 

8.       Enter Title and Description of the site collection.

 

9.       In Web Site Address section, in URL drop down, select / (front slash) for the root site collection. You can only create one top level site collection per web application. For more site collections, you have to create managed paths. There is a link called Define Managed Paths in Web Site Address section (on the same page). Also, if you have already used root site collection, Create Site Collection page will automatically show you /sites/  managed path. If you want to use a managed path then you have to enter a site collection name in the text box after the drop down.

 

10.   In the Template Selection, keep 2013 selected in the experience version drop down. Keep Team Site  selected under Collaboration tab.

 

11.   Enter Primary Site Collection Administrator.

 

12.   Click Ok to create site collection.

 

13.   When new web application is created, a default entry is automatically added in the Alternate Access  Mappings. To see the new entry for your web application, on the Application Management page, click Configure alternate access mappings. You will see new web application listed and the zone will be Default.

 

14.   Now, let’s add another URL for the HR department. Repeat steps 2 and 3 above to add a new host entry but instead of entering www, enter hr. IP will remain same.

 

15.   Now, you can create a new web application and site collection for the HR department just like you did above OR you can use an existing web application. You have already seen how to create new web application and use new URL. Now you will existing web application that you created above and use Alternate Access Mappings to forward new URL to that web application.

 

16.   On the Application Management page, click Configure alternate access mappings link.

 

17.   Click Add Internal URLs.

 

18.   From the Alternate Access Mapping Collection drop down, select the newly created web application.

 

19.   Enter new URL (new host entry for the HR department, for example, http://hr.walisystems.com) in the URL protocol, host and port field.

 

20.   In the Zone drop down select Custom.

 

21.   Click Save.

 

22.   Open new URL (http://hr.walisystems.com) in the browser. Your new site collection will open.

 

 

I hope information in this article was useful for you. Please do leave feedback in the comments below.  Thanks for reading!