SharePoint Web Services – HTTPS – Certificate

​During one of the ongoing projects I am associated with, we had a peculiar problem. In a multiple server farm setup for https, the service application Uri are also created with https URL’s. Accessing a site on https requires a valid certificate trusted by the requester or disabling the certificate check. There was some .Net code that disables this check; however, this affected the entire application pool until next recycle, so we did not want to use that.

We found out that the server address in these end points are created from the value SharePoint has stored for the server. (Get-SPServer).

For the entire solution we had been using a wildcard certificate, as it offers more flexibility and ease of implementation. However as the server was not FQDN, the wildcard certificate would not work. So what options did we have?

1: Use the Rename-SPServer and change the internal server in SharePoint to the FQDN, and thereby use the wildcard certificate. We tried this, but saw quite a few effects from this change. Therefore, we did not choose to proceed with this. This could properly be a valid approach, if the SharePoint internal names were configured initially using FQDN and not NetBIOS name.

2: Create single server certificates for each server in the farm, as well as adding each certificate to each server. This approach was not chosen due to the amount of administration involved initially and if adding servers later.

3: One of my colleagues came up with the brilliant plan to use the SharePoint internal Root certificate, as this is already trusted by all SharePoint servers, there is no need for additional certificates. Another colleague of mine wrote a little script, which pulls out this SharePoint Root certificate from the Certificate Store, adds it to the IIS, and binds it to the SharePoint Web Services site.

Updated: Check for port used as well as binding on static certificate name, rather than array.

# --------------------------------------------------------------------------------------------------------

.SYNOPSIS
Exports the currently used SharePoint Services certificate and uses it to create an SSL binding for SharePoint Web Services
.DESCRIPTION
This script lists all the certificates in the local SharePoint store, selects the one which matches
"SharePoint Services" and then calls certutil to import the certificate and key.
It then gets the current port of the webbinding named "SharePoint Web Services", removes the
webbinding and re-creates it with an sslbinding using the certificate.
.NOTES
File Name : export-spCert-import-in-IIS.ps1
Author : Mads Hjort Larsen - mads.hjort.larsen@gmail.com
.LINK
https://jesperarnecke.wordpress.com
.EXAMPLE
.\export-spCert-import-in-IIS.ps1
Certificate "CN=SharePoint Services, OU=SharePoint, O=Microsoft, C=US" added

CertUtil: -importPFX command completed successfully.

IP Address       Port        Store    Sites
----------             ----           -----      -----
0.0.0.0              32844    My       SharePoint Web Services

#--------------------------------------------------------------------------------

$cert = dir cert:\localmachine\sharepoint | Where-Object {$_.Subject -match "SharePoint Services"}
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
$pass = "password"
$certPath = (Split-Path $MyInvocation.MyCommand.Path)+"file.pfx"
$bytes = $cert.export($type, $pass)
[System.IO.File]::WriteAllBytes($certPath, $bytes)

certutil -f -p "$pass" -importpfx "$certPath"

Import-Module WebAdministration
$port = ((Get-WebBinding -Name "SharePoint Web Services" -Protocol https).bindingInformation).Trim("*:")
if((Get-WebBinding -Name "SharePoint Web Services" -IP "*" -Port $port -Protocol https) -ne $null) {Remove-WebBinding -Name "SharePoint Web Services" -IP "*" -Port $port -Protocol https}
New-WebBinding -Name "SharePoint Web Services" -IP "*" -Port $port -Protocol https
$certObj = Get-Item $cert.PSPath
if(Test-Path IIS:\SslBindings.0.0.0!$port){Remove-Item IIS:\SslBindings.0.0.0!$port}
New-Item IIS:\SslBindings.0.0.0!$port -value $certobj
Remove-Module WebAdministration
Advertisements

2 comments

  1. I tried the script but facing below error.

    PS E:\temp> .\export-spCert-import-in-IIS.ps1
    Certificate “SharePoint Services” added to store.

    CertUtil: -importPFX command completed successfully.
    Undefined object type SslBindings.0.0.0!32844.
    Parameter name: nodeName
    At E:\temp\export-spCert-import-in-IIS.ps1:16 char:1
    + New-Item IIS:\SslBindings.0.0.0!$port -value $certobj
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], ArgumentException
    + FullyQualifiedErrorId : NewItemDynamicParametersProviderException

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s