Configure SSL for SharePoint 2013


In this tutorial I will show you how to configure SSL for SharePoint 2013.

Prerequisites:

  1. IIS 8
  2. SharePoint 2013
  3. Windows Server 2012
  4. HTTP Web Application on Port 80

Steps:

  1. Create Self Signed Certificate on IIS 8
  2. Import Self Signed Certificate to SharePoint Certificate store
  3. Add Self Signed Certificate to trust management in Central Administration
  4. Configure IIS Binding
  5. Configure AAM
  6. Notes
  7. Issues

Note: Make sure to perform these steps with admin privileges.

Step 1: Create Self Signed Certificate on IIS 8

Open IIS Manager and then go to Server name and choose IIS Section “Server Certificates

Click on Create Self-Signed Certificate… on Actions pane

Specify a name like “SharePointSelfSignedCert” and click Ok

Double click on this created Certificate and go to details Tab and click copy to File…

Click Next (Welcome…),

Select No, do not export the private key and click Next ,

Select DER encoded binary and click Next,

Specify the location for the certificate and Click Next and then finish (Imported).

Step 2: Import Self Signed Certificate to SharePoint Certificate store

Open Manage Compute Certificate on Windows Server 2012 and go to SharePoint node and then right click All tasks >> import

Click Next and then specify the location of exported certificate in previous step and then Click Next,

Make sure Certificate store is SharePoint and Click Next and then finish (Exported)

Step 3: Add Self Signed Certificate to trust management in Central Administration

Go to Central Administration >> Security >> Manage Trust (to inform SharePoint to trust this certificate also).

And Click New

And a name and specify the location for the certificate and Click Ok.

Step 4: Configure IIS Binding

Go to IIS Manager and choose your web application and then click on Binding in Actions pane

Click Add..

Type: Https

SSL Certificate: SharePointSlefSignedCert (which created previously).

Click Ok.

Step 5: Configure AAM

Go Central Administration >> Alternate Access Mapping and Choose your web application

And click on Edit Public URLs and then add HTTPS URL

And Click Save.

Now try to brows your site with HTTPS URL

 

 

 

 

Notes:

  1. Don’t use Self-Signed Certification in production sites (you need to use commercial Certificates).
    http://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm
  2. If you add the Self-Signed Certificate to Trusted Root Certification Authorities then Certification error will disappear.
  3. IIS 8 and windows server 2012 introduce New Feature Called “Server Name Indication-SNI” which allows an IIS 8 to host multiple SSL sites and certificates on a single IP Address based on Host Headers.
    http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
  4. You can use URL Rewirte module in IIS 8 to redirect from HTTP to HTTPS or vice versa.
    http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
    http://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/ 
  5. SSL Certificates required for Federation Services.
  6. Test the SSL implementation using https://www.ssllabs.com/ssltest/ and make changes as in this article https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
Issues:
 

Issue #1: Mixed HTTP and HTTPS Content

If you login with HTTPS URL and then redirect the user to HTTP , the browser will ask the user again to login with HTTP URL.

Fix:

Go To Central Administration

Open Alternate Access Mapping (AAM)

Select your will application from the dropdown menu on top right

Click on Edit Public URLs and remove HTTPS URL

Click on Add Internal URLs and add HTTPS URL and select the same zone as HTTP URL

 
 
 
 
 
 
 
Comments (39)

  1. Thanks Fady, Good Knowledge 🙂

  2. Hameed Ali says:

    Good Post.

  3. AMgdy says:

    بارك الله فيك يا فادي، الموضوع اكثر من رائع

  4. Vandoorn Kevin says:

    Nice tutorial !

    I'm stuck on step 3 when I open the certmgr ( I am using Windows Server 2008) it doesn't contain the node SharePoint. How to fix this?

  5. Make sure you open Certificates add on using Computer Account and not my user account.

  6. Rika says:

    Great overview, thank you!

  7. Rizwan says:

    Excellent Post. Thanks !!!

  8. Chet says:

    great post – works perfectly apart from the apps 🙁

  9. Ansar says:

    Can one certificate used for multiple web applications?

  10. fabdulwahab@outlook.com says:

    If It's a wildcard Certificate and all web applications share the same domain (*.abc.com) then you can configure them to use this certificate , but If It's not then you need A certificate for each web application and Dedicated IP address for each web application if It's not IIS 8 and Windows 2012.

    You can find more information in the following Ref:

    http://www.harbar.net/…/ssl.aspx

    http://www.iis.net/…/iis-80-server-name-indication-sni-ssl-scalability

  11. Julien Frisch says:

    Very helpful thanks

  12. Don_NJ says:

    after I changed according to this article, I cann't access skydrive and newsfeed .how to solve this issue ?

  13. fabdulwahab@outlook.com says:

    Hi Don_NJ ,

    I don't think this issue related to SSL but try to check SharePoint Logs maybe you find something useful.

    Also try to run the below commands to enable OAuth authentication over HTTP

    $config = (Get-SPSecurityTokenServiceConfig)
    $config.AllowOAuthOverHttp = $true
    $config.Update()

  14. K_Joshi says:

    Hi Fadi,

    After performing all the steps as you mentioned, shouldn't I get prompted for authentication? Or does it happen only when SSL is bought from trusted CA and does not happen in Self Signed Certificate.

  15. fabdulwahab@outlook.com says:

    No relation between SSL Certification and Authentication , check if your web application is enabled with anonymous access or not.

  16. eXavier says:

    In my opinion the AAM configuration is incorrect:

    1) You haven't extended the web application to "Internet" zone but you are setting it in AAM.

    2) The most secure URL should be for default zone because it is the one used for rendering the URLs if mapping is not found.

    If you want to switch the web application to SSL (without extending web app), provide mapping like this:

    Internal URL | Zone | Public URL

    http://sps2013 | Default | https://sps2013

    https://sps2013 | Default | https://sps2013

    This will cause that when you access your web application with either HTTP or HTTPS, the links in the web will all render with HTTPS.

    If you want to use also HTTP to access your web application you can extend it with different URL.

  17. Anthony says:

    Thanks, this was very helpful!

  18. Niranjan says:

    If anyone getting error on step 3 please use below powershell common

    $cert = Get-PfxCertificate -filepath "<Path of certifcate file with cer extension>"

    New-SPTrustedRootAuthority -Name "<Certifcate Friendly Name>" -Certificate $Cert

  19. Manolo says:

    Hi, I am really lost and I need a little help. On step 4, when I am configuring IIS Binding, I do clic into textbox Type and put "https" and after I do not see in textbox SSL certificate my own certificate.

    I have done every previous steps. I have bought a certificate .crt and I began on step 2. The CA gave me two file,one is called "gs_intermediate_ca" and the other "STAR_dominio_com" and I have done this process with the two certificates and the result is the same. Thank very much

  20. fabdulwahab@outlook.com says:

    In step 1 : try to Complete Certificate Request instead of Create Self Signed Certificate so after you complete the wizard you will find your certificate list it under Server Certificates.

  21. Din Dang says:

    Hi fadi, i'm about to purchase a individual ssl certificate for my sharepoint . The sharepoint is manage by an outsource vendor, my biggest concern is when SSL certificates is deploy, will it be any changes has to be done in the source code of the sharepoint application such as changing the link in the sourcecode from http to htpps. Because according to the vendor, it will takes a lot of change request  in the sharepoint source code and they charge will unreasonable price. Supposedly SSL is just  a communication between server and user right?

  22. Manolo says:

    Thank Fadi by your fast response.

    I have tried to complete Certificate Request but I have not had succes. I have the main server "domino.com" which has Sever DC and Server DNS and the child server "child.dominio.com" which has Sharepoint server 2013. I have tried installed the certificate in the child server. Is possible that the problem was that?

  23. fabdulwahab@outlook.com says:

    Contact your certificate vendor and explain the issue to him and maybe they will suggest to use wildcard certificate.

  24. fabdulwahab@outlook.com says:

    Hi Dig Dang ,

    No need to change anything from your source code because As you said SSL is just a communication matter and make to use  hyphen urls , for example /pages/test.aspx and don't use http://url/pages/test.aspx.

  25. Indika Rathnasekara says:

    Hi Fadi

    Worked like a charm.

    Performed in a WIN 2008 R2 Standard SP1 box.

  26. imran says:

    it deosn't work with me, every time when i import certificate in AAM it gives me error that the certificate is password protected.

    i want to know why its showing this error. please help me on this problem.

  27. bspender says:

    I'm about a year and a half late to this party, but I completely agree with the earlier response by "eXavier_777" (Mon, Jan 20 2014 7:48 AM) in that your AAMs are incorrect (and manually modified from Central Admin without extending the Web App, which is even worse because it will cause inconsistencies for SP).

    He is exactly correct, so to reiterate (and by that, I mean copy/paste what he wrote)…

    If you want to switch the web application to SSL (without extending web app), provide mapping like this:

    Internal URL | Zone | Public URL

    http://sps2013 | Default | https://sps2013

    https://sps2013 | Default | https://sps2013

    This will cause that when you access your web application with either HTTP or HTTPS, the links in the web will all render with HTTPS.

    If you want to use also HTTP to access your web application you can extend it with different URL.

  28. Bharat says:

    I am getting error on step 3. When i import the certificate into AAM, it gives me error saying that certificate is password protected.

  29. Dude says:

    bspender and eXavier_777,

    Specifically how do you confgure the mappings that way?  I can't figure out how to get mine to look like that using the web UI.

  30. Neha says:

    I ve created a site and configured it with all the self signed certificates..everything just works fine..except for the last step…the https site doesnt open..it shows an error – HTTP unauthorized 404,,,,though i've logged in as the admin!!! pls help.

  31. Dhana says:

    Hi,

    Nice post.

    Can someone tell me, how to configure https for the web application that is running on different port than 80 and configure AAM?

  32. Bob Elander says:

    I am liking your post so far, came in off the Bing and am about to attempt this.

  33. We have a problem at step 3 says:

    The Root Certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.

  34. Umar says:

    Any thoughts on this note .

    Note: strongly recommend to use Central Administration or PowerShell to extend the web application with port HTTPS instead of doing the manual HOST name entry IIS by adding a new URL in AAM like the below  method . Once you get the second IIS website , you can configure the SSL ……………..

    blogs.msdn.com/…/how-to-enable-ssl-on-a-sharepoint-web-application.aspx

  35. adil says:

    HI

    i want to change our internet facing existing HTTP web application to HTTPS.

    so its already sharepoint 80 application on default zone.

    so if i extend web application to 443 port , how i will configure webapplication to open default on HTTPS

  36. adil says:

    HI Fadi,

    i did all steps and when i type my site with https in browser it working good,

    but how i open my site by default with https protocal, when i type mysite.com in browser it should open with https

  37. Volodymyr says:

    Thanks, great and thorough post!

    If someone experiences an "The Root Certificate that was just selected is invalid" issue on the step 3 (Add Self Signed Certificate to trust management in Central Administration), the resolution is to use simple PowerShell command: “New–SPTrustedRootAuthority -Name “FriendlyNameForTrust” -Certificate C:<location of certificate>”.

    Got from there: sharepointlark.wordpress.com/…/ssl-certificates-trusts-and-sharepoint-2010

Skip to main content