Tuesday, March 27, 2012

Configuring SSL Certificates in SharePoint 2010 - Step by Step


SSL certificates provides secure connectivity between client-server. Setting up HTTPS in SharePoint 2010 sites is an security addition. Generally its a best practice to secure SharePoint Central Administration and External web applications with SSL (HTTPS access).

This article covers: How to configure SSL certificates in SharePoint 2010 for HTTPS access. There are different types of SSL certificates available. We can pick one among them whichever applicable to our environment.

Steps overview

  1. Get the SSL Certificate
    1. Obtain from Trusted Certificate authority or
    2. Create a Self-signed SSL certificate
  2. Edit the Binding of the web application in IIS
  3. Change the alternate access mapping(AAM)
Important: Certificates should be imported and Bindings to be updated in All the WFEs in the environment.


1.     Get the SSL Certificate

To start with SSL certificates either we have to obtain the certificates from any trusted certificate provider like
    Or we need to create our own certificate, known as “Self Signed Certificate”.

    1(a). Obtain The Certificate from Trusted Certificate Authority

    If you have the .PFX file already, just import the .pfx file in "Server Certificates" under IIS, and skip the following steps
    There are two steps involved in provisioning the certificates from trusted certificate authority:
    1.  Create Certificate Signing Request
    2.  Complete the CSR by Installing the Certificate in IIS

    Create Certificate Signing Request
    (For Windows 2003 follow steps at: http://www.serverintellect.com/support/windowsserver2003/create-certificate-request.aspx)
    The First step to obtain the Certificate from Trusted certificate authority is to create certificate signing request. Follow these steps to create SSL certificate request : 
    1.   Click on the Start menu >> Administrative Tools >> Internet Information Services (IIS) Manager.
    2.  Click on the Server name in the Connections column on the left. Double-click on Server Certificates.
    sharepoint 2010 configure ssl certificate

    3. In the Actions column on the right, click on Create Certificate Request... Link
    IIS Server Certificates Console

     4. Enter all of the information about your company and the domain you are securing and then click Next.
    How to create ssl certificate for sharepoint 2010

     5. Select the Cryptographic provider and bit length
    Certificate Request Bit length

     6. Give a Name for the CSR file and click on Finish.
    sharepoint 2010 ssl certificate request
    To validate CSR, use the online tool at: http://www.sslshopper.com/csr-decoder.html

    Complete the CSR by Installing the Certificate in IIS
    Once we generated a CSR, We can send it to a certificate authority, Pay and then get the SSL certificate file. Next step is completing the request by installing the certificate.

    1. Click on the Start menu >> Administrative Tools >> Internet Information Services (IIS) Manager.

    2. Click on the Server name in the Connections column on the left. Double-click on Server Certificates.

    3. Click on “Complete Certificate Request” under Actions tab at right.

    complete certificate request CSR

     4. Browse to the location where the .cer file is located (The one you received from Certificate authority), click on OK
    generate certificate Signing Request - CSR

     5. You should see your certificate appear in the list of server certificates once completed successfully!
    applying certificate in sharepoint
    Done! We have installed SSL certificate in IIS.

    1(b). Creating Self-signed SSL certificate:

    On development/Intranet servers we can use Self signed certificates. By default, Self-signed SSL Certificates have expiry date of 1 year. You can further provide custom parameters to SelfSSL.exe and generate Self-signed SSL certificates.

    Steps to Create Self-Signed Certificate:
    1. Logon to your Web Front End Server

    2. Click on the Start menu >> Administrative Tools, and then click on Internet Information Services (IIS) Manager.
    3. Click on the server in the Connections column on the left, Double-click on Server Certificates.
    4. In the Actions column on the right, click on Create Self-Signed Certificate... 

    generate Self-Signed ssl certificate for sharepoint in IIS

     5. Enter any friendly name (e.g.  “Intranet Certificate” and then click OK.
    sharepoint add ssl certificate friendly name

     6. This will now create a New Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) will be the server name.
    sharepoint 2010 apply ssl certificate

    2. Edit the Binding of the web application in IIS

    1. The next step is to: install SSL certificate in IIS of SharePoint site. In the IIS Manager Console: Expand the Server and Site nodes and click the website you want to assign the certificate to. Click on Bindings... in the right column.
    sharepoint edit iis bindings

     2. Click on the Add... button in Site Bindings dialog box
    Add new HTTPS binding for digital certificate in sharepoint 2010

     3. Change the Type to https and select the SSL certificate that you just created. Click OK. You can also replace SSL certificate for your SharePoint site by choosing from the drop-down.
    sharepoint change Bindings for ssl certificate Association

     4. Now, you will see the binding for port 443 listed. Optionally, you can remove the HTTP binding in order to tighten the security. Click Close.
    Edit Bindings in IIS

     We can force the website to use ONLY HTTPS protocol by selecting SSL Settings of the website and then choose “Require SSL”
    sharepoint 2010 ssl certificate installation in IIS

    Fixing the Common Name in self-signed SSL

    Once we open the site with Self SSL, it will display an error message: The security certificate presented by this website was issued for a different website's address”. This is because of the common name mismatch.

    Self-Signed Certificate wizard uses the server name as the common name when it creates a self-signed certificate. So when we have a different host name other than the server name, this causes the mismatch. In fact, this isn't a problem. We can just ignore this error and click "Continue to this web site" each time.
    sharepoint ssl certificate warning Certificate Error: There is a problem with this website's security certificate. Navigation Blocked

    To completely get rid of the error message
    To get rid of the warning message displayed because the common name on the self-signed certificate doesn't match the website's host name. In order to resolve this problem, we'll need to create the self-signed certificate using the SelfSSL.exe which comes with instead of through IIS.

    1. Download and install the Internet Information Services (IIS) 6.0 Resource Kit Tools from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17275

    2. Once installed, open the command prompt, Navigate to "C:\Program Files (x86)\IIS Resources\SelfSSL\"  - CD "C:\Program Files (x86)\IIS Resources\SelfSSL\"

    3. Execute the command line:
    SelfSSL /T /N:CN=migration.crescent.com /V:365 /k:2048

    /T – Adds the Self-Signed certificate to the "Trusted Certificate" list. If you don’t use the /T key, you have to manually copy the certificate from Personal node to “Trusted Certificates” folder from Certificates MMC.
    /N – Common name, Must be as same as our custom host header, Otherwise you will see error!
    /V – Validity in days
    /K - Key size, by default 1024 bit
    How to Create Self Signed SSL Certificate for sharepoint 2010

     4. Now, assign the new certificate to the Web application.(Follow the steps under: Edit the Binding of the web application in IIS)


    3. Configuring Alternate Access Mapping for SSL

    So, we have configured IIS to allow SSL connections, but we need to instruct SharePoint to map the requests to the correct web application. As final step, let’s configure the alternate access mapping by changing URL from HTTP to HTTPS. 

    1. Navigate to Central Administration >> Application Management >> Configure Alternate access mappings     
    configure alternate access mappings

     2. Click on “Edit Public URLs”
    install ssl certificate on sharepoint 2010

     3.  Select the desired web application
    sharepoint 2010 Alternate access mapping

     4. Change the HTTP to HTTPS and click on Save button. Once done, this will automatically change the HTTP to HTTPS.
    sharepoint AAM Setup

    Other considerations:

    SSL Offloading:
    It’s a good Idea to offload the SSL at the firewall or Publishing servers (like F5) so that you can reduce the burden on the Web Frond Ends.

    If you have SSL enabling Central Admin: don’t forget to Change Central Administration Port:
    STSADM -o setadminport -port 443 –ssl

    Intermediate Certificates
    Some of the SSL providers issue server certificates with an Intermediate certificate, so you will need to install this Intermediate certificate to the server as well. Otherwise users will receive a Certificate Not Trusted Error. Just double click the certificate and choose install.

    Unit Test

    Alright, we are done with configure HTTPS in SharePoint 2010. Browse to the site by typing the URL in browser. Make sure it doesn’t give any certificate errors.

    Here is the output: SharePoint 2010 site configured with https! That's all! We've successfully configured SSL Certificate with SharePoint 2010 site.
    sharepoint 2010 secure site

    Tail: Different Types of SSL Certificates:

    Domain Validated Certificates:
    Only the domain owner is validated using an email to an address at the domain using WHOIS record of your domain. It’s simple and fast and cheap.

    Extended Validation Certificates
    This is the highest level of authentication available with an SSL Certificate. They are more expensive than other types of certificates. Web browsers will display the organization’s name in a green address bar and show the name of the Certificate Authority that issued.

    Wildcard Certificates
    Wildcard certificates can be used to secure an unlimited number of subdomains on a single domain name. For example, a certificate for *.domain.com will work on my.domain.com, www.mydomain.com, intranet.mydomain.com, etc.

    SAN Certificates
    Subject Alternative Names let you protect multiple host names with a single SSL certificate. It allows you to specify a list of host names to be protected by a single SSL certificate.

    Code Signing Certificates
    To provide protection of software code and content for the software publishers and the users downloading. It allows you to sign an application or executable so that users know the identity of the organization that made the application.

    Self-Signed Certificates
    Can be created by our self, Users will receive warning if the certificate is not trusted (or expired!).

    You might also like:
    SharePoint Usage Reports
    Usage reports, collaboration and audit for SharePoint.
    Document SharePoint Farm
    Automatically generate SharePoint documentation.

    Check out these SharePoint products:


    1. Excellent Post!

      Clear, complete. The best I have found so far.

      Thanks for spending the time and sharing.


    2. I Love the step by step approach and the detailed screenshots. Great job!

    3. Can u please give us how to configure authentication based on client certificates ???

      1. This may help you: http://blogs.msdn.com/b/zwsong/archive/2010/02/16/how-to-configure-client-certificate-for-sharepoint-authentication.aspx

    4. An Comprehensive of SSL certificate installation with step by step process. Being Platinum Certificate Authority that We would like to recommend your blog to SSL Installation Education from our end. If you wish you can reply us with this comment, so we will publish your blog soon on SSL education. We are sure that your post will help users to their installation process.

      1. Sure EV SSL! As long as you give credit and link to my post, I'm pretty OK!
        Salaudeen Rajack

    5. the /T is giving an error: /T is not recognized as an internal or external command, operable program or batch file. I am in the directory you stated. I can run selfssl.exe and the program asks if I want to replace the ssl settings for site 1 (y/n) why isn't the /T recognized?

    6. This is great information, thank you very much!

      Can you share any additional information related to SSL Offloading to F5 or other Load Balancers. Is this a MS recommended approach for SP2013 & what are the complications, if any? Are there any cost reductions as far as # of certificates or any other saves? Any additional information will be highly appreciated.

      1. 1. SSL Offloading simply reduces the Web Server's load of Encrypting/Decrypting Traffic. My pick is: F5 Big IP!
        2. If you are looking for cost reductions - Go for Wildcard certificates! For intranet sites, Have your own Certificate Authority in your domain.

    7. Can we use same wild card ssl certificate for registering STS providers for different sharepoint web apps?
      We are getting Microsoft.SharePoint Exception Message: The trusted provider certificate already exists when we try to register second STS for second web app using same wild card certificate

    8. Hi there! glad to drop by your page and found these very interesting and informative stuff. Thanks for sharing, keep it up!

    9. Hello,

      Could you please clarify me on below point.

      1. If you have SSL enabling Central Admin: don’t forget to Change Central Administration Port.

      Also do i need to perform the same step for Central Admin? Please suggest.


      1. If you want to SSL Enable your Central Admin, You'll be changing its port. Follow How to Change Central Administration Port in SharePoint to change Central admin port!

      2. Thanks for your response.

        Could you please suggest me the best option to implement the SSL certification in SharePoint.

        1. Edit the Public URL as mentioned in your post.


        2. Extend the web application.

        In few of the blogs its suggested to extend the web application instead of editing the public URL. When the microsoft foundation web application service is restarted, all the changes which has been done manually will be lost and also there are chances that custom solution can break.

        Also i have around 20 web application and while creating the CSR file i have choosen *xxxx.com. Is this correct?

        Thanks in Advance.


    Please Login and comment to get your questions answered!

    You might also like:

    Related Posts Plugin for WordPress, Blogger...