SharePoint 2010: Installing Your SSL Certificate
Microsoft SharePoint 2010 does not include a GUI for installing the SSL Certificate. Because SharePoint 2010 is designed to run on Microsoft IIS 7, you can use IIS. If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see Microsoft SharePoint 2010: SSL Certificate CSR Creation Instructions.
The SharePoint SSL Certificate installation process consists of three steps:
-
Installing the SSL Certificate
-
If you used IIS 7 to generate your CSR, you need to use IIS 7 to install the SSL Certificate,
-
If you used the DigiCert® Certificate Utility for Windows to generate your CSR, you need to use the DigiCert Certificate Utility to import/install your SSL Certificate.
See SSL Certificate Importing Instructions: DigiCert® Certificate Utility for Windows.
-
-
Assigning or binding the certificate to your SharePoint site
See Using IIS 7 to Assign the Certificate to the SharePoint Website.
-
Installing the root certificate
SharePoint 2010: How To Install Your SSL Certificate
Using IIS 7 to Install the SSL Certificate
After DigiCert validates and issues your SSL Certificate, you can use Microsoft IIS 7 to install your SSL Certificate to the server where you generated the CSR, and then, bind it the SharePoint site.
-
Save your certificate file (your_domain_name.cer) to the server from which the CSR was generated.
-
Open Internet Information Services (IIS) Manager.
On the Windows Start menu, click All Programs > Administrative Tools > Internet Information Services (IIS) Manager.
-
In Internet Information Services (IIS) Manager, under Connections, click your server’s Hostname.
-
In the center menu, in the IIS section, double-click the Server Certificates icon.
-
In the Actions menu, click Complete Certificate Request to open the Complete Request Certificate wizard.
-
On the Specify Certificate Authority Response page, under File name containing the certification authority’s response, click … to browse to the .cer certificate file that DigiCert sent you, select the file, and then, click Open.
-
Next, in the Friendly name box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To install the certificate to the server, click OK.
Known Issue in IIS 7:
A known issue exists in IIS 7 where the following error message is displayed: "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created." You may also receive a message stating: "ASN1 bad tag value met".
Solution:
If this is the server where you generated the CSR, in most cases, the certificate is actually installed. Simply cancel the dialog window and press F5 to refresh the list of server certificates. The new certificate should now be in the list; continue with the next step.
If the new certificate is not in the list, you need to reissue your certificate as follows:
-
Create a new CSR.
See Microsoft SharePoint 2010: SSL Certificate CSR Creation Instructions. -
After creating a new CSR, login to the DigiCert® Management Console (your account). Then, next to your certificate, click Re-Key Your Certificate.
-
-
Once you have installed the SSL Certificate successfully to the server, you still need use IIS to assign or bind that certificate to the SharePoint site.
Using IIS 7 to Assign the Certificate to the SharePoint Website
-
In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, expand Sites, and then select the SharePoint site.
-
In the Actions menu, under Edit Site, click Bindings.
-
In the Site Binding window, click Add.
-
In the Add Site Bindings window, enter the following information:
Type: In the drop-down list, select https. IP address: In the drop-down list, select All unassigned. If your server has multiple IP addresses, select the one that applies. Port: Enter 443, unless you are using a non-standard port for SSL traffic. SSL certificate: In the drop-down list, select the friendly name of the certificate that you just installed. -
When you are finished, click OK.
-
Now you need to install the root certificate on your SharePoint server.
Using SharePoint 2010 to Install the Root Certificate
-
Log into the DigiCert® Management Console (your account).
-
In the DigiCert® Management Console, under Order, click the order number for the SSL Certificate that you just installed.
-
On the My Orders tab, click Download.
-
In the Download Certificate section, click the Download or Copy/Paste Individual Certificates link.
-
Next, click the ROOT CERTIFICATE icon.
-
In the Opening TrustedRoot.crt window, click Save File to save the file to your SharePoint server.
-
Next, open SharePoint 2010 Central Administration.
On the Windows Start menu, click All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Central Administration.
-
In SharePoint 2010 Central Administration, in the menu on the left, click Security and then, under General Security, click Manage trust.
-
On the Trust Relationships page, in the menu at the top of the page, click New.
-
In the Establish Trust Relationship window, in the General Setting section, in the Name box, type the name that you want to give the SSL Certificate.
-
In the Root Certificate for the trust relationship section, click Choose File to browse for and select the root certificate (i.e. TrustedRoot.crt).
-
In the Establish Trust Relationship window, click OK.
-
If the certificate is installed successfully, it should be listed on the Trust Relationships page.
Test Your Installation
If your web site is publicly accessible, our DigiCert® SSL Installation Diagnostics Tool can help you diagnose common problems.
If you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors contact support.
Troubleshooting:
Error Message: “The Root Certificate that was just selected is invalid”
If you receive this error message, do the following:
-
Copy the TrustedRoot.crt to the root of your drive (i.e. C:\).
-
Open SharePoint 2010 Management Shell.
On the Windows Start menu, click All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell.
-
In the SharePoint 2010 Management Shell command prompt, edit the following command and provide a friendly name and the full path to the certificate file:
New-SPTrustedRootAuthority -Name "FriendlyName" -Certificate C:\<path to certificate>
For example:
New-SPTrustedRootAuthority -Name "DigicertTrustedRoot" -Certificate C:\TrustedRoot.crt
Note: The friendly name is the same name that you used to establish a trust relationship to the root certificate.
-
If the command runs successfully, the root certificate should be listed on the Trust Relationships page.
-
If the command fails:
-
Check to make sure that everything in the command is spelled correctly and has the correct formatting.
-
Check to make sure that your root certificate is located in the path specified in the command.
-
Check to make sure that the path specified in the command is the path location where the root certificate is actually located.
-
Check to make sure that the friendly name matches the trust relationship name of the root certificate.
-