If you have an enterprise PKI, or even just a single CA, that issues certificates to services such as ADFS or Workflow Manager that you intend to use with your SharePoint Farm, it might be worth while importing you Root and Intermediate CA Certificates into SharePoint to make it trust the other services.
Currently we have a PKI setup similar to the following:
-Enterprise Root CA (Offline)
—Enterprise Intermediate CA (Offline)
——Web Services CA (Online)
——Authentication CA (Online)
The Root and the Intermediate CA are offline and secured except for planned maintenance, such as publishing new certificate revocation lists. The Web Services CA is the CA that issues the certificates we use for web services like Workflow Manager, and the Authentication CA issues the ADFS signing Certificate, which also needs to be trusted by SharePoint.
First of all, you need to grab a copy of the certificate of each CA in the Chain. If you have your PKI configured correctly, they should be readily available so I won’t go into that process. If you are exporting them from the CA servers, DO NOT export private keys, SharePoint doesn’t need them and that would be a major security concern. Once you have them, copy them to a directory on your SharePoint server(s).
Then, make sure the certificates are in the trusted root certificate authorities on every server in your farm. the easiest was to do this is to publish the certificates using group policy, but you can do this manually if you like. Simply follow these steps on each server in the farm:
- Double click the first certificate.
- Click Install.
- Select “Local Machine” and click Next.
- Click Yes on AUC prompt.
- Select “Place all certificates in the following store”.
- Click Browse and select “Trusted Root Certificate Authorities” or “Intermediate Certificate Authorities” depending on if the certificate is at the root of the chain.
- Click Next.
- Click Finish.
- Repeat for each certificate in the chain.
On your SharePoint server execute the following powershell commands for each certificate, changing “C:\RootCA.cer” to the path of each certificate, and “Enterprise Root CA” to a friendly name for each CA.
$path = “C:\RootCA.cer” $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path) New-SPTrustedRootAuthority -Name "Enterprise Root CA" -Certificate $cert
If you don’t like powershell or are unable to access powershell for whatever reason, you can also install the certificates from Central Admin.:
- Navigate to Central Admin -> Security -> Manage Trust.
- Click “New”.
- Add a friendly Name for the certificate.
- Click Browse and select your certificate.
- Click OK.
- Repeat for each certificate in your PKI chain.