Hi, this is the continuation of my previous article. And in this article we will see how to import Certificate which we exported from different server. Let’s say our target server where we need to import the certificate is Windows server 2012.

1. Open IIS and double click on Server Certificates

2. Click on Import… at right side panel

3. Please copy and paste the .pfx file from old server to new server which you created in Part 1. And choose the .pfx file, provide the password which was given in Part 1 and click OK

4. Then you can see the certificate in Server Certificates feature. It means certificate has been successfully imported.

Further you can follow my article on Install SSL Certificate To The Server And Binding Of SSL Certificate To IIS Website to know how to bind SSL certificate to your website.

Happy Coding

Ahamed

Title: Migration of Certificate from Window Server 2008 to 2012 – Part 1

Hi, In this article we will see how to migrate SSL certificate from one server to another server. During migration of Website or Web API, it is important to export the certificate from the old server and import to new server. I believe you already have installed valid certificate in the server to have https site, if not please follow this link to know more about SSL certificate – Install SSL Certificate To The Server And Binding Of SSL Certificate To IIS Website

I split this article into two parts. In 1^st part we will see how to export certificate from old server let’s say Windows Server 2008 and in 2^nd part we will see how to import certificate to the new server (windows server 2012). Below, you can find step by step procedure to export certificate from the server (where I already installed SSL certificate)

1. Click on Start -> search ‘mmc’, you will get the below console

2. In the console window, go to File -> Add/Remove snap-in…

3. In Add/Remove snap-ins pop up, double click on Certificates and process further as show in the below screenshot

4. And click Finish.

5. Go to Personal under Certificates, since my certificate was added inside Personal

6. Then you will get an Export Certificate Wizard

7. If you want to export with the private key, they select Yes

8. Select on the format that you want to use

9. To maintain security, we must protect private key by using password for Import purpose. This password will be used when we want to Import the certificate in other server.

10. And provide a file name to save and click on Finish.

11. In the given path, .pfx file should be exported. Copy this file and paste it in the target server (in our case Windows server 2012)

Will continue in – Migration of Certificate from Window Server 2008 to 2012 – Part 2

Happy Coding

Ahamed

I was on the process of installing and configuring my Own Certificate Authority by installing the Active Directory Certificate Services. The installations were completed successfully. I tried to create a Certificate from the IIS I was facing an Exception like “Error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)”

On the Server Manager, we can see the exception as below.

I was not able to Create a certificate as well as the Renewal also not be done.

Then after googling for a while, found a useful tip regarding this. Thought of sharing this to the SharePoint Community.

Executing a simple command solves this problem.

· Open the Command Prompt as Administrator on the CA Server.

· Execute the following command.

 certutil –setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

· Restart the Server.

· Try creating/Renewal the certificate.

· It should create/Renew without any issue.

Then, if you want to roll back to the previous setting,

 certutil –setreg caCRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE.

The execution of the above command will gives the following output.

 Old Value:
 CRLFlags REG_DWORD = 2
 CRLF_DELETE_EXPIRED_CRLS -- 2
 New Value:
 CRLFlags REG_DWORD = a (10)
 CRLF_DELETE_EXPIRED_CRLS -- 2
 CRLF_REVCHECK_IGNORE_OFFLINE -- 8
 CertUtil: -setreg command completed successfully.
 

Happy Coding.

Sathish Nadarajan.

In the article, we saw the step by step approach to create a provider hosted application. But on that, while creating an app from visual studio, we are giving a certificate and an Issuer ID. I thought of explaining it to the community for a long time. But we forgot and moved to other areas. Now, it’s time to look in to that.

I request the readers to have a look on the above mentioned article to make sure that we are on the same track.

A quick walk through is, on the step number 5, we need to provide a pfx file and an issuer ID.

This issuer ID will be added automatically on the web.config of our provider hosted application. The steps to create and make use of this are as follows.

1. Create a Self Signed Certificate from InetMgr. Please refer here.

2. Export the certificate and create the PFX with a password.

3. Now, we need to create the Issuer ID.

To create Issuer ID, go to the Appregnew.aspx page. The full URL will be something like, https://MyServer/sites/MySiteCollection/_layouts/15/Appregnew.aspx.

Once, we give the IssuerID, the web.config of the app will looks like

 <appSettings>
 <add key="ClientSigningCertificatePath" value="C:MyCertificate.pfx"/>
 <add key="ClientSigningCertificatePassword" value="****"/>
 <add key="IssuerId" value="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"/>
 </appSettings>
 

4. Register the Issuer ID to create a new Trusted Identity Token Issuer using the PowerShell script.

5. The following script will do that.

 //Registering a Issuer ID 1dfc02bc-ff74-4604-b295-b58860cba1f9
 
 cls
 
 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 
 $issuerID = " xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx "
 
 $targetSiteUrl = "https://MyWebApplication:3000/sites/DeveloperSite/"
 
 $targetSite = Get-SPSite $targetSiteUrl
 
 $realm = Get-SPAuthenticationRealm -ServiceContext $targetSite
 
 $registeredIssuerName = $issuerID + '@' + $realm
 
 $publicCertificatePath = "C:CertsMyCert.cer"
 
 $publicCertificate = Get-PfxCertificate $publicCertificatePath
 
 Write-Host "Create Security token issuer"
 
 $secureTokenIssuer = New-SPTrustedSecurityTokenIssuer -Name $issuerID -RegisteredIssuerName $registeredIssuerName -Certificate $publicCertificate -IsTrustBroker
 
 $secureTokenIssuer | select *
 
 $secureTokenIssuer  | select * | Out-File -FilePath "SecureTokenIssuer.txt"
 
 #Turn off the HTTPS requirement for OAuth during development
 
 $serviceConfig = Get-SPSecurityTokenServiceConfig
 
 $serviceConfig.AllowOAuthOverHttp = $true
 
 $serviceConfig.Update()
 
 Write-Host "All done..."
 
 
 

Happy Coding.

Sathish Nadarajan.

In the previous article, we saw how to Create Domain Certificate by using IIS server. Now, let us see, how to create the same Domain Certificate from MMC Console. Because, even if there is no IIS got installed, definitely MMC will be there on any machine. That’s the reason, we need to look into this also.

Though it is easy to create using IIS, we need to know this way also. Sometime it will definitely help.

The steps are as follows.

1. Go Run and type MMC.

2. On the Snapin, select “Add/Remove Snap-in”

3. Select the “Certificate Authority”

4. Certificate Authority will be loaded as shown below

5. Now, again go back to Add/Remove Snap-in and Select Certificates

6. Select the Radio Button appropriately. In my case, am selecting the Computer.

7. Select Local computer. Since am in the CA Server only.

8. Now the console will looks like

9. Select Personal -> All Tasks->Request New Certificate

10. Follow the screen shots.

Select the template

To add more templates to here, we need to add the Templates from the CA. We will see that as Appendix. Now proceed with Enroll.

We will get the Certificate. To confirm that, we can go to IIS-Server Certificates. The created certificate will be listed there also. On the issued certificate section also, we can see the certificate.

Appendix A:

Here let us see, how to add a new template.

We need to select an existing template. New certificates can be inherited from the existing certificate template only.

Now, we are done with the creation.

Happy Coding.

Sathish Nadarajan.

In the previous article, we saw how to install ADCS and convert our Windows Server 2008 R2 into a Certification Authority Server. In this post, let us see, how to use that CA to issue certificate for us.

There are 2 ways to create the certificate using CA. In this article, let us see one through IIS Server.

Approach I – Through IIS:

In this Approach, the same as that of creating a Self-Signed Certificate, we can also create a Domain Certificate as well. Only thing is, Active Directory Certificate services should be installed on the Domain. If it is not properly installed, then we cannot create a Domain Certificate. Though we are able to see the link to Create Domain Certificate from the IIS, we cannot create. Let us see, how we cannot Create first.

Let us go to the IIS Server.

On the Right Pane, we can see the option to Create Domain Certificate. Click that one.

We need to give all the necessary information. Then only Next Button will get enabled.

For documentation purpose, am giving test in all the fields.

When I press Next, the next screen would be

Since, there is no CA installed, we cannot proceed further.

Let us see, if the CA is installed, (the screen shots were taken from a different environment. Hence the name of the servers will not match with the previous ones)

Now, the Certification Authority Selection Button will be enabled.

Select the CA which we installed already.

Give a Friendly Name and click Finish

The certificate got Created.

The major difference, which I thought of explaining is, the “Issued To” field. This field is coming from the Common Name which we gave on the First Screen. For reference, the same is pasted here.

Hence, if we want a certificate against any specific machine, then we need to give the machine name or the full name of the machine (along with the domain) on the Common Name Field. The other fields, doesn’t have much impact.

And much more important difference is renewal.

On the below screen shot,

Only the “Test” is domain Certificate. The remaining 2 are Self-Signed Certificate. To identify them, select and Right click on the Certificate. You cannot find an option for renew. Only Domain Certificates can be renewed. Self-Signed Certificates cannot be renewed.

As I mentioned, there are 2 ways to Create a domain Certificate. In this post, we saw one of the approach. The second approach, we will see in the upcoming posts. Thanks.

Happy Coding.

Sathish Nadarajan.

All of us know the importance of Certificate while in development environment as well in the customer’s environment. Being a developer, we don’t bother about the customer environment’s Certificates. But, while developing itself, we will be required to deal with the certificates frequently. For Example, even for creating a HTTPS site, we require certificates.

Regarding this, we had already seen, how to create a self-signed certificate from IIS in this post. But, the problem which we faced here is, the validity of the Certificate. The default validity of the self-signed certificates are one year. After one year, there is no option to renew or extend the validity. Even I couldn’t see any option for the AutoCertificateRollover also. (We can discuss about them in some other posts.)

At the same time, for the development, we cannot buy any certificate for cost also. At this scenario, if we have a Windows Server 2008 R2 machine (or any other Server OS can help. Since, I used Windows Server 2008 R2, I am explaining about that), we can convert our server into a Certificate Authority Server, and get certificates from that itself. We can renew, and we can choose any templates etc., There are much more options are there.

Let us see how to install the Active Directory Certificate Services first. As usual, the step by step procedure are as follows.

1. Open the Server Manager

2. Select the Roles. And Add Roles.

3. Select the Active Directory Certificate Services

4. The installation Wizard will begin

5. Select the Services. The basic things we require for our need is, Certificate Authority and Certification Authority Web enrollment

6. To install, the Web Enrollment Service, there are certain IIS related Services needs to be installed. Click on Add Required Role Services.

7. Now, go to the next screen

8. Select the Enterprise, since we are going to use the existing Active Directory

9. Select the Root CA. This Certification Authority is going to be the Root for any other sub Certification Authority in future. As for as concerning the development machine, we don’t need to worry about this. We can proceed with Root CA

10. Select the New Private Key

11. The encryption methods. Leave as by default. The only thing to be noted here is the Key Character Length. For a safer side, always keep the length not less than 2048.

12. Give the name of the CA and the Certificate prefixes etc., Mostly keep as it as default.

13. Validity of the Certificate. Give as you require. Even, if you give a lesser value, we can renew the certificate.

14. Location of the database files.

15. Confirm and proceed with installation.

Verifying the Installation.

Once the installation got succeed, we need to verify. To verify that, we can go to Server manager again and see the Roles has been added.

To verify against the Certification Authority, the following steps will help us.

1. Go to Run and type MMC

2. Management Console will open. On that, Add Snapin.

3. Add Certification Authority and select Local.

4. It will get added.

5. Now, you can see the entire certificates which were issued, pending requests, Certificate templates etc.,

We can see, how to create a certificate using this Certification Authority in the consecutive posts.

Happy Coding.

Sathish Nadarajan.

In the previous article, we saw how to create a Self-Signed Certificate from IIS. Now, let us see how to copy it into a file and make use of it in SharePoint 2013.

1. Go to IIS

1. Select “Server Certificates”.

2. We will see the list of already existing certificates.

3. Double click the certificate

4. We will be prompted with the below popup.

5. On the Details Tab, there will be a link to “Copy to File…”

6. Click that one.

7. We will be prompted with the wizard.

8. Follow the below screen shots to complete the wizard. As they are self explanatory.

Once the export is successful, we will be able to see the Cert on the given path with an extension of *.cer.

Now let us have a look at how to add this certificate in to SharePoint 2013 Central Administration.

1. Let us go to the Central Administration

2. Go to the Security.

3. Click on the Manage Trust.

4. You will be able to see the existing trusted certificates.

5. Click on new.

6. On the Popup, enter the necessary information.

7. We will be able to see the certificate on the list.

8. Now, this certificate can be access through out your sharepoint 2013 farm.

With this, we came to know, how to export the file into cer and how to use that in SharePoint 2013. Let us see the exact usage of these steps in following articles.

Happy SharePointing…

In SharePoint 2013, most of the cases, you will be in a situation to use a certificate (either to create a https site, ADFS Configuration etc.). This certificate will be purchased from various vendors on the production environment. But on the development environment, as a developer, we should be in a position to use a self-signed certificate. Let us see, how to create a self-signed certificate on the IIS of the development machine step by step.

1. Go to IIS

2. Select “Server Certificates”.

3. You will see the list of already existing certificates.

4. Select the “Create Self-Signed Certificate” link on the right pane.

5. Enter the details as shown below.

6. That’s it. Our certificate will be listed on the Server Certificates.

7. Do an IISRESET.

8. Now, our certificate is ready to bind with any web application on the Bindings link.

9. To verify that, let us go to any of the web application and edit the existing binding.

10. Our newly created certificate will be listed on the drop down.

In the next article, let us see how to export this and make a relationship with sharepoint Central Administration.