Posted by: Eric Schrader | September 23, 2014

SharePoint 2013, IIS7, NLB, SSL certificates and GoDaddy Renewal Steps

Overview:

SSL certificates with SharePoint 2013 web applications expire, and when that does, you have to generate a new SSL Certificate. In this post, I will go over how to renew you SharePoint 2013 SSL HTTPS website with GoDaddy, even including multi-server Web Front End (WFE’s) topologies. If you use wildcard certificates on you SharePoint websites, there are a few gotchas when renewing. The process is similar for most certificate types, but wildcards and SharePoint are this blog posts focus. These steps are also similar if you are adding a SSL certificate to your website for the first time (once your SharePoint farm, web applications, and site collections have been configured to use HTTPS, etc.).

Here is an overview of the steps involved with the certificate renew process:

  1. Request a new certificate request from the machine running IIS/SharePoint (Pick a WFE)
  2. Go to GoDaddy and rekey your certificate, entering your certificate request text from step 1
  3. Complete the certificate request in IIS on WFE
  4. Update WFE bindings to use SSL cert
  5. Export certificate from WFE to WFE2 (PFX with personal information, create a password)
  6. Import the PFX on WFE2 IIS
  7. Update WFE2 bindings to use SSL cert

Common issues:

First, this is my experience. Comment below any corrections or other helpful information.

  • When adding the cert to IIS and refreshing, it disappears!
    • Your certificate request is expired. Generate a new one and try again.
    • You are following GoDaddys guide, which does not work. Follow my post below.
    • The cert might already exist and need to be deleted in the Certificate Manager on the server.
  • CER, CRT, PFX- what is the difference? Why do I have to select *.* if I need a specific type? Who designed this stuff…
    • CER is a request
    • CRT is a certificate without private information
    • PFX is a certificate package with private information (exported from CRT paired on the first server, the PFX is imported to the second server).
  • How do I complete a request on WFE2 if it was already completed from WFE1?
    • Export the working cert from Server 1 as a PFX file with a password, then import it on server 2 in IIS. Do not use cert manager on server 2.

Steps to renew your Existing wildcard SSL Certificate:

  1. Verify your certificate is expired by navigating to your SharePoint site. If you get an HTTPS trust warning, it’s expired or has issues that this blog post will address.
  2. Go to WFE1 IIS 7 on your SharePoint box
    1. Go to Server Certificates in IIS

    2. Remove any old certificates that contain the URL for your SharePoint site that we are renewing

    3. On the top right in IIS, go to “Create Certificate Request”

    4. Enter your information. Common name is the wildcard URL. The rest, do not use abbreviations. See this post for more info: https://support.godaddy.com/help/article/4800/generating-iis-7-csrs-certificate-signing-requests

    5. Select “4096” for the bit length

    6. Select a location/filename for the text file that is about to be generated

    7. We will be copying the contents of this file to GoDaddy to rekey our wildcard SSL certificate in the next step.
  3. Now that we have our server “key” information waiting in the text file, we can now go to GoDaddy and pair this server information to that of our SSL certificate.
    1. Go to Go Daddy Certificate Manager (Manage SSL Certificates > Manage Certificates)

    2. Select “Re-Key” on the top navigation
    3. Paste your text file contents from the IIS text file to this GoDaddy window:

    4. Select “Re-Key”
    5. Click “Manage Certificates” From the top navigation, then select “Certificates” folder on the left navigation.
    6. Select the bottom SSL certificate (the most recent version)
    7. Select “Download” icon from the navigation.

    8. Select IIS7, the “Download”

    9. Save this zip to your WFE server where you created the IIS certificate request.
    10. Extract to C:\Temp and proceed carefully to the next steps in this post.
  4. On WFE1 in IIS where you created the certificate request, open IIS 7 and follow these steps to use the certificate you downloaded from GoDaddy.
    1. Remove any old expired wildcard certificates from the WFE1 servers “Certificate Manager”, check Personal > Certificates and the Intermediate > Certificates locations

    2. COMMON GOTCHA: Do not install the cert, do it using IIS.
    3. Go back to “Server Manager” in IIS 7, select “Complete Certificate Request” on the right navigation

    4. Enter the information for the Certificate request as follows:

    5. COMMON GOTCHA: Select *.* when browsing for the CRT file from the GoDaddy zip

    6. Friendly name must be the wildcard URL of the domain.
    7. Click OK.
    8. Refresh the Server Manager to verify the certificate “stays”. If it disappears, you either have:
      1. A certificate in your Personal Certificate store with the same friendly name
      2. An expired or old Certificate Request you generated and downloaded, or you downloaded an older certificate from GoDaddy. Repeat these steps and it will work (it should).
  5. Set the IIS binding of the new certificate to your SharePoint 443 SSL HTTPS website in IIS:
    1. Go to IIS 7 > Sites > select the SharePoint site that uses the wildcard cert.
    2. Select “Bindings” on the right with the website selected.

       

    3. Select “Edit” and select the new SSL certificate

    4. Select OK. On WFE2, you will get an error here trying to use an exported PFX file, follow the next steps to fix WFE2.
    5. Verify the site loads on WFE1 if you can control your DNS/NLB routing.
  6. If you have additional WFE servers, you need to export this new verified SSL certificate to IIS. Here is how.
    1. From WFE1, Go to “Server Certificates”, right click the wildcard cert and select “Export”

    2. Pick a location for the new PFX file, then enter a secure password.

    3. Click OK
    4. Copy the PFX file to WFE2 through Explorer or any other method.
    5. On WFE2, go to IIS 7 > “Server Certificates” and select “Import”

       

       

       

    6. Browse to the PFX file copied over from WFE1, enter your password and select OK.
    7. Refresh “Server Certificates” to verify it is still available.
    8. Repeat the import process in IIS on other WFE servers.
  7. Now that the certificate is available on the other WFE’s in IIS, we need to update the bindings. Same process as the first WFE.
    1. (Copied and pasted from WFE1 steps, but perform these on the WFE2 and additional servers once the certificate is imported)
    2. Go to IIS 7 > Sites > select the SharePoint site that uses the wildcard cert.
    3. Select “Bindings” on the right with the website selected.

       

    4. Select “Edit” and select the new SSL certificate

    5. Select OK.
    6. Verify the site loads on WFE2 if you can control your DNS/NLB routing.

That’s it! I believe most of what’s above is best practices. I would also remove temporary certificate files, such as PFX, CSR files, etc. left around during the process for added security.

Advertisements

Responses

  1. Great post. Do you know if GoDady wildcard SSL certs allow you to have secondary level names? E.g. hr.intranet.contoso.com

    • Glad it helped! I am not sure, I suspect you can. I have head some routers don’t support the secondary level names, so we typically stay away from them IMO.

  2. Hi Eric, Thanks for such a great post 🙂
    I have recieved a wildcard certificate as zip file to renew the existing old one on Sp2013 server. it is correct that I can skip step 1 to 3 and jump to step 4?
    and it is a production server, will Intranet be unavailable during this task?

    Thanks in advance

    • Sorry for the year late reply SHBA, yes, as long as the new certificate is in the cert store on the servers, that is the main thing. If you have issues, steps 1-3 address this.

  3. […] SharePoint 2013, IIS7, NLB, SSL certificates and GoDaddy … – Overview: SSL certificates with SharePoint 2013 web applications expire, and when that does, you have to generate a new SSL Certificate. In this post, I will go over … […]

  4. Just got off the phone with GoDaddy support, few good bits of info:

    Difference between Rekey/Renew and Revoke:
    Rekey- change info (another server or cert name), gives 72 hour to reinstall before old cert expires.
    Renew- same info, another year (This is what the above blog post does)
    Revoke- cancels cert and deletes it out of the account, immediately cancels.

    Recommended Path:
    Renew certificate, generate a new CSR (pending renewal, then download and complete), swap out cert and rebind on applications (multiple years is best to avoid this process each year)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: