During one of the ongoing projects I am associated with, we had a peculiar problem. In a multiple server farm setup for https, the service application Uri are also created with https URL’s. Accessing a site on https requires a valid certificate trusted by the requester or disabling the certificate check. There was some .Net code that disables this check; however, this affected the entire application pool until next recycle, so we did not want to use that.
We found out that the server address in these end points are created from the value SharePoint has stored for the server. (Get-SPServer).
For the entire solution we had been using a wildcard certificate, as it offers more flexibility and ease of implementation. However as the server was not FQDN, the wildcard certificate would not work. So what options did we have?
1: Use the Rename-SPServer and change the internal server in SharePoint to the FQDN, and thereby use the wildcard certificate. We tried this, but saw quite a few effects from this change. Therefore, we did not choose to proceed with this. This could properly be a valid approach, if the SharePoint internal names were configured initially using FQDN and not NetBIOS name.
2: Create single server certificates for each server in the farm, as well as adding each certificate to each server. This approach was not chosen due to the amount of administration involved initially and if adding servers later.
3: One of my colleagues came up with the brilliant plan to use the SharePoint internal Root certificate, as this is already trusted by all SharePoint servers, there is no need for additional certificates. Another colleague of mine wrote a little script, which pulls out this SharePoint Root certificate from the Certificate Store, adds it to the IIS, and binds it to the SharePoint Web Services site.
Updated: Check for port used as well as binding on static certificate name, rather than array.
# -------------------------------------------------------------------------------------------------------- .SYNOPSIS Exports the currently used SharePoint Services certificate and uses it to create an SSL binding for SharePoint Web Services .DESCRIPTION This script lists all the certificates in the local SharePoint store, selects the one which matches "SharePoint Services" and then calls certutil to import the certificate and key. It then gets the current port of the webbinding named "SharePoint Web Services", removes the webbinding and re-creates it with an sslbinding using the certificate. .NOTES File Name : export-spCert-import-in-IIS.ps1 Author : Mads Hjort Larsen - mads.hjort.larsen@gmail.com .LINK https://jesperarnecke.wordpress.com .EXAMPLE .\export-spCert-import-in-IIS.ps1 Certificate "CN=SharePoint Services, OU=SharePoint, O=Microsoft, C=US" added CertUtil: -importPFX command completed successfully. IP Address Port Store Sites ---------- ---- ----- ----- 0.0.0.0 32844 My SharePoint Web Services #-------------------------------------------------------------------------------- $cert = dir cert:\localmachine\sharepoint | Where-Object {$_.Subject -match "SharePoint Services"} $type = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx $pass = "password" $certPath = (Split-Path $MyInvocation.MyCommand.Path)+"file.pfx" $bytes = $cert.export($type, $pass) [System.IO.File]::WriteAllBytes($certPath, $bytes) certutil -f -p "$pass" -importpfx "$certPath" Import-Module WebAdministration $port = ((Get-WebBinding -Name "SharePoint Web Services" -Protocol https).bindingInformation).Trim("*:") if((Get-WebBinding -Name "SharePoint Web Services" -IP "*" -Port $port -Protocol https) -ne $null) {Remove-WebBinding -Name "SharePoint Web Services" -IP "*" -Port $port -Protocol https} New-WebBinding -Name "SharePoint Web Services" -IP "*" -Port $port -Protocol https $certObj = Get-Item $cert.PSPath if(Test-Path IIS:\SslBindings.0.0.0!$port){Remove-Item IIS:\SslBindings.0.0.0!$port} New-Item IIS:\SslBindings.0.0.0!$port -value $certobj Remove-Module WebAdministration
Adding the below article to the above. According the Microsoft, this should not be a problem, however it is.
http://msdn.microsoft.com/en-us/library/ee535060(v=office.14).aspx
I tried the script but facing below error.
PS E:\temp> .\export-spCert-import-in-IIS.ps1
Certificate “SharePoint Services” added to store.
CertUtil: -importPFX command completed successfully.
Undefined object type SslBindings.0.0.0!32844.
Parameter name: nodeName
At E:\temp\export-spCert-import-in-IIS.ps1:16 char:1
+ New-Item IIS:\SslBindings.0.0.0!$port -value $certobj
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], ArgumentException
+ FullyQualifiedErrorId : NewItemDynamicParametersProviderException