SelfSSL and SharePoint
- I am trying to create a selfssl that matches my server name for a SharePoint installation that resides on a stand-alone Windows 2008 server. I cannot figure out what the correct name of the certificate should be. For example, should I use the IP address of the machine?
I need the name to match because Windows VISTA and Windows 7 clients CANNOT use the "Windows Explorer" feature using SSL unless the name matches the certificate. The problem does not exist with Windows XP or Windows 2003.
Does anyone know how to create a self signed certificate on a stand-alone Windows 2008 server?
Answers
- Microsoft was able to correct the issue. As I expected, the problem was with the certificate.
>> Install Root CA role (Workgroup or Enterprise) on the server.>> Created an answer file and supplied the external and internal IPs in the Subject Alternative Name in the file. (inf file is attached to the mail – rename it to .inf)
>> Run the command “ certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 ” on the server to enable SAN on the certificates.
>> Restart the CA service.
>> Use the certreq tool to generate the request and get a new cert issued out from the CA. (http://support.microsoft.com/kb/931351 ) Following are the commands:
- Certreq –new <inf file name> <request file name>
- Certreq –submit <request file name> <certificate file name>
- Certreq –accept <certificate file name>
>> The cert would now show up in the personal store of the computer. (Can check it using the mmc)
>> Bind the certificate to the IIS.
- Marked As Answer byotterit Wednesday, November 11, 2009 12:32 AM
All Replies
- I have created a self assigned cert yet, but the name of the cert should be the name your users use to access SharePoint. whatever is after http:// in the address bar.
HTH
David Lozzi
Delphi Technology Solutions
Blog | LinkedIn | Twitter - Conceptually, that works. The problem I have is the server name is only for an internal address and the IP address is NAT. I am using a 10.x.x.x internal address that is configured to receive requests by using Port Forwarding in my router.
So, http://10.x.x.x:4443/ will not work as my certifcate name. :( What I really need, which I cannot remember how to do, is to assign to assocaite two names to a certificate. MS told me how, but I cannot find the @$# instructions. ;)
- I'm not sure about assigning two names to a cert. If I understand what you're trying to do. If port forwarding is rerouting traffic, that technically shouldn't matter. The host name is passed through along with it. So even though domain.com points to one IP and then directs it to 10.x.x.x the ssl cert should be domain.com.
David Lozzi
Delphi Technology Solutions
Blog | LinkedIn | Twitter- Unmarked As Answer byotterit Wednesday, November 11, 2009 12:22 AM
- Marked As Answer byLily WuMSFT, ModeratorTuesday, November 10, 2009 12:49 AM
- Microsoft was able to correct the issue. As I expected, the problem was with the certificate.
>> Install Root CA role (Workgroup or Enterprise) on the server.>> Created an answer file and supplied the external and internal IPs in the Subject Alternative Name in the file. (inf file is attached to the mail – rename it to .inf)
>> Run the command “ certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 ” on the server to enable SAN on the certificates.
>> Restart the CA service.
>> Use the certreq tool to generate the request and get a new cert issued out from the CA. (http://support.microsoft.com/kb/931351 ) Following are the commands:
- Certreq –new <inf file name> <request file name>
- Certreq –submit <request file name> <certificate file name>
- Certreq –accept <certificate file name>
>> The cert would now show up in the personal store of the computer. (Can check it using the mmc)
>> Bind the certificate to the IIS.
- Marked As Answer byotterit Wednesday, November 11, 2009 12:32 AM
