Renewing SharePoint Certificates on premise

If you have a internet public facing SharePoint site that uses HTTPS that is hosted on premise and its certificate is due to be expired, then follow the complete steps below on the process involved with renewing a certificate on the SharePoint farm.

  1. Create a CSR file – For more details, see “Step 1: Create a CSR File”
  2. Send the client the CSR file to the end-user and get them to make a purchase order to renew their certificate through their vendor with the CSR file. For more details, see “Step 2: Ordering SSL Certificate”
  3.  Install and Configure SSL Certificate in step 3
  4.  Bind SSL Certificate in IIS in step 4

 

Step 1: Create CSR (Certificate Signing Request”) File on Window Server 2008

Want to watch how it’s done

IIS 7 CSR video walkthrough

  1. From the Windows Start menu, find Internet Information Services (IIS) Manager and open it (click Administrative Tools > Internet Information Services (IIS) Manager).
  2. In the Connections pane, locate and click the server.
  3. In the server Home page (center pane) under the IIS section, double-click Server Certificates

IIS 7 Security Certificates

4. In the Actions menu (right pane), click Create Certificate Request.

IIS 7 Create Certificate Request

5. In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next.

Common name: The fully-qualified domain name (FQDN) (e.g., http://www.example.com).
Organization: Your company’s legally registered name (e.g., YourCompany, Inc.).
Organizational unit: The name of your department within the organization. This entry will usually be listed as “IT”, “Web Security”, or is simply left blank.
City/locality: The city where your company is legally located.
State/province: The state/province where your company is legally located.
Country/region: The country/region where your company is legally located. Use the drop-down list to select your country.

IIS 7 Distinguished Name Properties

6. On the Cryptographic Service Provider Properties page, provide the information specified below and then click Next.

Cryptographic service provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider (unless you have a specific cryptographic provider).
Bit length: In the drop-down list, select 2048 (unless you have a specific reason for using a larger bit length).

IIS 7 Cryptographic Service Provider Properties

7. On the File Name page, under Specify a file name for the certificate request, click the  …  button to specify a save location for your CSR.

Note: Remember the filename and save location of your CSR file. If you enter a filename without specifying a location, your CSR will be saved to C:\Windows\System32.

IIS 7 CSR Pending Request Filename

8. When you are done, click Finish.

 

Step 2: Ordering SSL Certificate

  1. Open the CSR file using a text editor (such as Notepad), then copy the text (including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags) and paste it into the vendor (e.g. DigiCert) order online form for submission.

2. After end-user has received their SSL Certificate from the vendor, send the downloaded file or the email link through to SharePoint Administrator to do step 3 and 4

 

Step 3: Install SSL Certificate

  1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from DigiCert.
  2. Open Internet Information Services (IIS) Manager (click Start > Administrative Tools > Internet Information Services (IIS) Manager).
  3. In the Connections pane, locate and click the server.
  4. In the server Home page (center pane) under the IIS section, double-click Server Certificates.

IIS 7 Security Certificates

5. In the Actions menu (right pane), click Complete Certificate Request.

IIS 7 Create Certificate Request

6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:

File name containing the certificate authority’s response: Click the  …  button to locate the .cer file you received from DigiCert
(e.g., your_domain_com.cer).
Friendly name: Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.

Note: We recommend that you add the issuing CA (e.g., DigiCert) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.

IIS 7 Complete Certificate Request

7. Click OK to install the certificate.

    1. Note: There is a known issue in IIS 7 where the following message is displayed: “Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.” You may also receive a message stating: “ASN1 bad tag value met.”
    2. If this is the server where you generated the CSR, it’s possible the certificate is actually installed and the message can be ignored. Simply click OK, then close and reopen Internet Information Services (IIS) Manager to refresh the list of server certificates. The new certificate should appear in the Server Certificates list, and you can continue with the next step.
    3. If the new certificate does not appear in the Server Certificate list, you need to do one of the following:
    4. Reissue your certificate (see Reissuing a DigiCert SSL Certificate).

 

 

8. Now that you’ve successfully installed your SSL certificate, you need to configure your site to use it in “Step 4: Binding SSL Certificate”

 

Step 4: Bind the SSL certificate to the web site in IIS Manager

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
  2. Browse to your server name > Sites > Your SSL-based site
  3. In the Actions pane, click Bindings

 

 

 

 

 

 

 

 

 

4.  In the Site Bindings window, If there is no existing https binding, choose Add and change Type from HTTP to HTTPS.

 NOTE: If there is already a https binding, select it and click Edit.

 

 

 

 

5. From the SSL Certificate drop down, Select the Friendly Name for the SSL certificate that will be used for this site

 

 

 

 

 

  • IP: all unassigned
  • SSL certificate: xxx.xxx (Click on view button to verify that the selected certificate has the next expiry date in the future)
  • Port: 443
  • Type: https:

6. Click OK

 

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.