Oct 16, 2014

Self-signed wildcard certificates for SharePoint 2013

In a post-Snowden era, everyone is encrypting their network traffic with SSL and SharePoint portals are no different.

Wildcard certificates are a good deal if you need several SSL certificates (intranet,extranet, mysites, mail, etc.) and here's how to create your own self-signed wildcard certificate and root authority for development servers.

All the credit goes to Mike O'Brien in this post: http://www.mikeobrien.net/blog/creating-self-signed-wildcard/.

Create the certificates

  1. Download and install the Windows 8.1 SDK (http://msdn.microsoft.com/en-us/library/windows/desktop/bg162891.aspx).  You only need to install base component "Windows Software Development Kit" to get the makecert.exe application.  You can install this on the server or local development machine which later requires exporting the certificates.
  2. Open a command line with administrative privileges.
  3. Run "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=My Development Root CA,O=My Company Name,OU=Development,L=MyCity,C=US" -pe -ss Root -sr LocalMachine -sky exchange -m 120 -a sha1 -len 2048 -r
  4. This will create and install a root authority certificate in your local Trusted Root Certification Authorities certificate store.
  5. Run "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=*.mydomain.com" -pe -ss My -sr LocalMachine -sky exchange -m 120 -in "My Development Root CA" -is Root -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1
  6. This will create and install a wildcard certificate in your local Personal certificate store.

Export the certificates to the server

  1. If you've performed the previous steps on your server, skip to step 10. Otherwise continue to export the certificates to your server.
  2. Open the Certificates Management Console (Windows key and search for "certificates"
  3. Open the Trusted Root Certification Authorities folder and right click your "My Development Root CA" certificate.
  4. Select "All Tasks > Export ..".
  5. Select "Yes, export the private key".  
  6. Click Next and assign a password to the export file.  Choose a location and save the file.
  7. Copy the file to your server.
  8. Repeat the export process for the wildcard certificate in the Personal certificates folder.
  9. Repeat steps 1-9 but select "No, don't include the private key" to get certificate exports necessary for SharePoint.
  10. Now open the Certificates Management Console on the server.
  11. Right click the Trusted Root Certification Authorities folder and select Import
  12. Find the exported root certificate, import it and enter the password.
  13. Repeat the import process for the Personal folder and choose the wildcard certificate.

 Configure IIS and SharePoint

  1. Open the IIS Manager on the server and select the SSL web application.
  2. Right click and choose Bindings...
  3. Select the port binding and choose Edit.
  4. Select the wildcard certificate from the dropdown SSL list.
  5. OK and save.
  6. Open a browser on the server and navigate to SharePoint Central Administration.
  7. Go to Security > Trust Relationships.
  8. Create a new item and choose the wildcard export file without the private key.
  9. Create another trust item with the root certificate export file without the private key.