Install SSL certificate trusted root certificate Intermediate certificate is required on sharepoint servers which is provided by Certification Authority. SSL is a security protocol that establishes a secure connection by providing encrypted connection between server and client, typically between server and client browser. So, its mandatory to install ssl certificate in servers. Normally we create .pem file for SSL certificate. PEM file with full form “Privacy-enhanced Electronic Mail” is nothing but a file format, act as certificate container files. It stores cryptographic data, like “Keys” and “Digital Certificates“. Follow the step by step below to Install SSL certificate trusted root certificate Intermediate certificate on sharepoint web servers.

1. Generate CSR file
2. Create .pem file for SSL certificate
3. Install Certificate on Web Server from which CSR file is created
4. Install Certificate on Web Server from which CSR file is not created
   • Export certificate from server where CSR files is created and installed
   • Install PFX file certificate
5. Install Internal Certificates
   • Install Global Root CA
   • Install Intermediate Certificates RapidSSL RSA CA

Generate CSR file

Before requesting certificate, first generate csr file for ssl certificate from web server. Follow the step by step procedure below for CSR file (Certificate Signing Request file) generation.

• Log in to one of the WFE server.
• Open IIS Manager.
• Click on the server name present under Connections from left navigation.
• Click on “Server Certificates” present in “Center Pane” under IIS in “Feature view“.
• Double click on “Server Certificates“.
• Click on “Create Certificate Request” from right pane.
• You will get a dialogue box “Request Certificate” wizard to fill “Distinguished Name Properties” like Common name, Organization, Organizational Unit, City/locality, State, Country/Region.

Common name: SharePoint2019.spmcse.com
Organization: SPMCSE
Organizational unit: IT
City:
State:
Country/region: US

• Click on “Next” once filled all details.
• You will get next window “Cryptographic Service Provider Properties“.
• Select the option “Microsoft RSA SChannel Cryptographic Provider” from drop down option “Cryptographic service provider“.
• Select “Bit length” as “2048” from drop down and click on “Next“.

• Next window “File Name” will appear.
• Under “Specify a file name for the certificate request“, choose “saved location for your CSR file ex. C:certsCsrFile.txt“. Default saved location is “C:WindowsSystem32“.
• Click on “Finish” once saved location of the CSR file is selected.
• Create csr file for ssl certificate process completed.
• Open CSR file with notepad. You will see information in CSR starts with “BEGIN NEW CERTIFICATE REQUEST” and at the end you will notice “END NEW CERTIFICATE REQUEST“. This is the format of CSR file created.

Create .pem file for SSL certificate

Next process is to request SSL trusted certificate from third party digital certificate authority provider. We will create .pem file for SSL certificate.

• Login to any third party certificate authority site that provides digital certificate. Let me share one third party certificate authority provider “https://www.venafi.com“.
• Under “Policy” from left navigation, expand “Certificate Under Management“.
• Expand “External Facing Certificate“.
• Expand “Enrollment Management Type“. You will find your server folder (Ex. SPMCSE) under that. Right click on “SPMCSE“.
• Navigate to Add -> Certificate -> Certificate.
• Fill details like “Certificate Name” and “Description” under the tab “General Information“.

• Under the tab “CSR Handling“, select “CSR Generation” option as “User Provided CSR“. Below that there is a option “Upload CSR“. Click on “Upload CSR“.
• Click on “Browse“, select the CSR files generated and saved as discussed in previous steps and click on “Upload“. Click on “OK“.

• From next window under the tab “Subject Alt Name“, click on “Add/Remove“.
• Select “SAN Type” as “DNS“.
• Enter extra URL in “SAN Value (SharePoint2019.spmcse.com, MySite.spmcse.com)“.
• Click on “Add“. URLs under “SAN Value” will be moved to “SAN“. Click on “Done“.

• From next tab “Symantec MPKI Owner“, Enter manager information like “First Name“, “Last Name“, “Email“.
• Click on “Save“.
• From top navigation click on “Settings” and then click on “Renew Now“. Click on “Yes“.

• Once security team approves the request, certificate is created and ready to be downloaded.
• Log in to the CA provider. From “Settings” present at the top navigation, click on “Download“, choose certificate.
• From pop up window “Download Certificate“, select the checkbox “Include Root Chain“.
• Select “Chain Order” as “End-entity first“. “Format” as “Base64 (PKCS#8)“. Click on “Download“.

Install Certificate on Web Server from which CSR file is created

Now we need to install certificate on web server. Web server includes the server from which CSR file got generated and other servers from which CSR file is not generated. First we will discuss about how to install certificate on server from which CSR file is generated.

• Log in to one of the WFE server.
• Open IIS Manager.
• Click on the server name present under Connections from left navigation.
• Click on “Server Certificates” present in “Center Pane” under IIS in “Feature view“.
• Double click on “Server Certificates“.
• Click on “Complete Certificate Request” from right pane.
• You will get a dialogue box “Complete Certificate Request” wizard. Browse and select the certificate (.pem file) from the field “File name containing the certificate authority’s response“.
• Populate next field “Friendly name” as “SharePoint2019.spmcse.com“.
• From next field “Select a certificate store for the new certificate“, choose “Personal” from drop down. Click “OK“.
• Now you can see the certificate under “Server Certificates” in “Features View“. This indicates that certificate is successfully installed.

Install Certificate on Web Server from which CSR file is not created

Installation of certificate on servers from which CSR file is not generated is a 2 step process as below.

1. Export certificate from server where CSR files is created and installed.
2. Install PFX file certificate.

Export certificate from server where CSR files is created and installed

• Open the server from which SSL trusted digital certificate from certificate authority is generated.
• From keyword shortcut keys, type “WINKEY+R” to open “run” window.
• Type “mmc” and press “Enter“.
• Navigate to “Console Root -> Certificates (Local Computer) -> Personal -> Certificates“.
• You will find the installed certificate (SharePoint2019.spmcse.com) under it.
• Select the certificate, right click on it.
• Click on “All Tasks” and then select “Export“.
• You will get the window “Certificate Export Wizard“. Click on “Next“.
• From the next windows select the radio button “Yes, export the private key” and click on “Next“.
• From next window, select the radio button “Personal Information Exchange – PKCS #12 (.PFX)“. Under that, make sure the check boxes related to options “Include all certificates in the certification path if possible” and “Export all extended properties” are selected. Click on “Next“.
• From next window, select the checkbox “Password” and insert “New Password“. Click on “Next“.
• FInally you will get the window “Completing the Certificate Export Wizard” with all selected settings. Click on “Finish“. You will get pop up like “The export was successful“. Click on “OK“.

Install PFX file certificate

• Copy the exported certificate (.PFX) file to other servers where you need install this certificate.
• Navigate to the .PFX file and right click on it.
• Select on “Install PFX“.
• You will get the window “Certification Import Wizard“.
• Select the ration button option “Local Machine” present under “Store Location“. Click on “Next“.
• From next window, browse to the stored location of .PFX file and select the certificate. Click on “Next“.
• From next window, enter the same password that was set while exporting the certificate in previous steps.
• Make sure the checkbox “Include all extended properties” selected present under “Import Options“. Click on “Next“.
• From next window, browse “Place all certificate in the following store” as “Personal“. Click on “Next”.
• From next window “Completing the Certificate Import Wizard“, you will see all selected options. Click on “Finish“.

Install Internal Certificates

Next process on Install SSL trusted root Intermediate certificate is to install internal certificates like “Global Root CA” and “RapidSSL RSA CA” in all servers that are using SSL certificate.

Install Global Root CA

• Copy the folder “Global Root and intermediate CA – RapidSSL (internal certs)” to the server in which needs to be installed.
• Open the folder, you will see 2 security certificates like “Global Root CA” and “RapidSSL RSA CA“.
• Select and right click on the security certificate “Global Root CA“, click on “Install Certificate“.
• You will get the window “Certification Import Wizard“.
• Select the ration button option “Local Machine” present under “Store Location“. Click on “Next“.
• From next window, browse to the stored location as “Trusted Root Certification Authorities“, click “OK” and move to “Next“.
• From next window “Completing the Certificate Import Wizard“, you will see all selected options. Click on “Finish“. Finally click on “OK” from pop up window.

Install Intermediate Certificates RapidSSL RSA CA

• Similarly select and right click on the security certificate “RapidSSL RSA CA“, click on “Install Certificate“.
• You will get the window “Certification Import Wizard“.
• Select the ration button option “Local Machine” present under “Store Location“. Click on “Next“.
• From next window, browse to the stored location as “Intermediate Certification Authorities“, click “OK” and move to “Next“.
• From next window “Completing the Certificate Import Wizard“, you will see all selected options. Click on “Finish“. Finally click on “OK” from pop up window. Rapidssl certificate installation completed.
• Finally do an “IISRESET“.

Categories: IIS, Windows Server Certificate

Tags: .pem file, Complete Certificate Request, Create .pem file for SSL certificate, Create Certificate Request, Create csr file for ssl certificate, cryptographic data, Cryptographic service provider, Cryptographic Service Provider Properties, CSR Generation, CSR Handling, dbo.sitemasters, Distinguished Name Properties, export the private key, Get-SPWebTemplatesEnabledForSiteMaster, Global Root CA, Include Root Chain, Install Certificate, Install Global Root CA, Install Intermediate certificate, Install Intermediate Certificates, Install PFX, Install SSL certificate, Install trusted root certificate, Intermediate certificate, Microsoft RSA SChannel Cryptographic Provider, RapidSSL, Rapidssl certificate installation completed, SAN Type, SharePoint 2019, SharePoint Online, Specify a file name for the certificate request, ssl certificate, ssl certificate installation, Subject Alt Name, Symantec MPKI Owner, trusted root certificate, Trusted Root Certification Authorities, User Provided CSR