Tuesday 26 July 2016

Replacing the Default FS4SP Certificate with a Windows Server CA Certificate



Instead of using the default certificate installed with FS4SP, you can use a certificate issued by Enterprise CA.
With Fast Search for SharePoint(FS4SP) server installation you have to use Fast Search Certificate in order to run query over https. For development machine you can use self-signed certificate, however self-signed are not recommended for Production environment.

Instead of using the default certificate installed with FS4SP, you can use a certificate issued by a certification authority (CA) in order to achieve a higher level of security in a production environment. Your organization may have an existing public key infrastructure (PKI) that can issue certificates.

Before making the changes please read the references mentioned below in the article for detail understanding of other options. I found the book "Working with Microsoft FAST Search Server 2010 for SharePoint" very helpful and hope will help you too.

The following procedure assumes you have access to a Windows CA server with an account that has permission to create certificate templates and that you are using FS4SP and SharePoint servers under the same parent domain. The account must have Enterprise Administrator privileges in order to duplicate a template that is used in the procedure.

Create a template
1. Log on to your CA server with an account that has appropriate permissions Lo create certificate templates.
2. Open Certification Authority, right-click Certificate Templates, and select Manage.
3. Right-click Web Sewer and select Duplicate Template. Choose Windows Sewer 2003 Enterprise and then click OK.
4. Select the General tab in the Properties window.
5. Set the template display name to FAST Search Server, the template name to FASTSearch Server and the validity period to, for example, 100 Years to create a long lasting certificate.
6. Select the Request Handling tab.
7. Set the purpose to Signature and Encryption and title minimum key size to 2048. Select Allow Private Key lo Be Exported, and set Requests Must Use One of the Following CSPs to Microsoft Dl-L SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider.
8. Select the Subject Name tab.
9. Select Build From This Active Directory Information, set the subject name formal to Common Name and select the DNS Name check box for Include this Information In Alternate Subject Name.
10. Select the Server tab and select both options.
11. Select the Issuance Requirements tab and clear all options.
12. Select the Superseded Templates (ah and remove any template listed.
13. Select the Extensions tab.
14. Edit Application Policies and add all possible policies.
15. Edit Basic Constraints and clear the Enable this Extension check box.
16. Edit Issuance Policies and remove all possible policies. Clear the Make This Extension Critical check box.
17. Edit Key Usage, select the Digital Signature and Signature Is Proof Of Origin check boxes, select Allow Key Exchange Without Key Encryption, and select the Make This Extension Critical check box.
18. Click OK to save the template.

Request a certificate
You need to generate a certificate for each of your FS4SP servers and SharePoint servers that has a FAST Content SSA.
1. Log in to the server for which you want to generate a certificate.
2. Follow the guide at http://technet.microsoft.com/en-us/library/ff625722(WS.1O).aspx to start the Certificate Enrollment wizard with an enterprise CA.
3. Choose Active Directory Enrollment Policy on the enrollment screen.
4. Select the Subject tab.
5. Choose the FAST Search Server template you created in the previous procedure.
6. Click the edit link to configure settings before you enroll the certificate.
7. Set the subject name type to Common Name and enter die FQDN of your server as the value. Then click the Add button.
8. Set the alternative name type to DNS and enter the FQDN of your server as the value. Then click the Add button.
9. Select the General tab.
10. Enter a friendly name and description for your certificate.
11. Select the Extensions tab.
12. For key usage, add the following:
·         Data Encipherment
·         Digital Signature
·         Key Certificate Signing
·         Key Encipherment
13. For extended key usage, add all available options.
14. Select the Private Key tab.
15. Under Cryptographic Service Provider, choose RSA Provider, the DH check box can be cleared. Under the Key options, your key length should be 2048 and it must be exportable. Key type can remain the default of Exchange. For an FS4SP server, Key Permissions must give the FS4SP service account full access to the certificate’s private key. For a SharePoint server with the FAST Content SSA, give the service account for the FAST Content SSA full access to the certificate’s private key.
16. Click OK to save your settings.
17. Click Enroll.
The certificate should now appear in the Personal folder under the Local computer’s hierarchy.

After you have generated certificates for each server, follow the TechNet procedure at http://technet.microsoft.com/en-us/Iibrary/ff381244.aspx#Replace_Default about how to properly install the certificate for your FS4SP server and your SharePoint servers.
To test that the certificates are properly installed, from a SharePoint Management Shell on the EAST Content SSA servers, issue the following Windows PowerShell cmdlet, where fs4spserver.mydomain.com is the FS4SP server to test the connection against. The value for your newly installed certificate should read true in the Connection Success column, and you should now be able to start crawling content with the new certificates installed.

Ping-SPEnterprisesearchContentService <fs4spserver.mydomain.com>


Using the Certificate Enrollment wizard
The Certificate Enrollment wizard can be used to include SANs in a certificate request. The Certificate Enrollment wizard can submit the request to an enterprise CA, or the request can be saved to a file and submitted to a standalone CA in your organization, a public CA, or another CA product.
Understand your CA procedures and requirements for certificate requests. In particular, you should confirm the following before creating a certificate request:
  • Cryptographic service provider (CSP)
  • Supported request formats: CMC, PKCS #7, or PKCS #10
The Certificate Enrollment wizard is available beginning with computers running Windows Server 2008 or Windows Vista. The wizard can be used to submit certificate requests to enterprise and standalone CAs running Windows Server 2003 or later.
Procedures are described for using the Certificate Enrollment wizard with an enterprise CA or standalone CA. Use the procedure that is appropriate for your CA type.
You must be a member of the local Administrators group to complete these procedures.
See complete guide at https://technet.microsoft.com/en-us/library/ff625722(v=office.14).aspx#BKMK_CertWiz

Using the Certificate Enrollment wizard with an enterprise CA
Complete the following procedure to request a certificate with a SAN for a computer running Windows Server 2008 or later. You must use an enterprise CA running Windows Server 2008 or later.
The Web Server certificate template is used as an example in the following procedure. Use the template that is appropriate for your environment. The account used to create the request must have Read and Enroll permissions on the certificate template. The template must be configured to accept user-defined SANs.

To use the Certificate Enrollment wizard with an enterprise CA
  1. Log on to the server as a member of the local Administrators group.
  2. Click Start.
  3. In the Search programs and files box, type mmc.exe, and press ENTER.
  4. On the File menu, click Add/Remove Snap-in.
  5. In the list of available snap-ins, click Certificates, and then click Add.
  6. Click Computer account, and click Next.
  7. Click Local computer, and click Finish.
  8. Click OK.
  9. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.
  10. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard.
  11. Click Next.
  12. Click Next.
  13. Select the Web Server template. Click the warning icon below More information is required to enroll for this certificate. Click here to configure these settings.
  14. Note the warning icon on the Subject tab. This tells you what type of information is required.
Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements. To use an empty Subject name, skip steps 15 and 16.
  1. In the Subject name area under Type, click Common Name.
  2. In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.
  3. In the Alternative name area under Type, click DNS.
  4. In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.
  5. Repeat steps 17 and 18 above for each additional SAN that you require. Click OK when finished.
If you are requesting a certificate for a computer other than your client computer, the private key must be exportable. To specify that the private key is exportable, click the Private Key tab, click the Key Options arrow, and click Make private key exportable. The CA must also be configured to support exportable private keys.
  1. Click Enroll.
  2. After enrollment succeeds, click Finish.

Replace the self-signed certificate with a certificate signed by a certification authority (CA)
  1. Stop FAST Search Server 2010 for SharePoint on all servers in the farm, including the monitoring service.
  2. On each server in the FAST Search Server 2010 for SharePoint farm:
    1. Make sure that the new CA signed certificate is installed correctly:
The CA signed certificate must be installed under Certificates(Local Computer)\Personal in the certificate store.
The root CA signed certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities.
    1. Make sure that the FAST Search Server 2010 for SharePoint user has access to the private key of the certificate.
  1. On the FAST Search Server 2010 for SharePoint administration server, follow these steps:
    1. Find the thumbprint of the CA signed certificate.
      1. Open Microsoft Management Console. Click Start and then type MMC in the Search box. Click MMC under Programs.
      2. Expand the Certificates (Local computer) menu under Console Root.
Optional: If the Certificates (Local computer) menu is not visible, the Certificates snap-in is not enabled. To enable the Certificates snap-in:
        1. Click File and then click Add/Remove Snap-in.
        2. Select Certificates from the list of Available snap-ins and then click Add.
        3. Select Computer account and then click Next.
        4. Select Local computer and then click Finish.
        5. Click OK in the Add or Remove Snap-ins menu.
      1. Expand the Personal folder and then click the Certificates folder. Double-click the CA signed certificate.
      2. Open the Details tab and then click Thumbprint.
    1. On the Start menu, click All Programs.
    2. Click Microsoft FAST Search Server 2010 for SharePoint and then Microsoft FAST Search Server 2010 for SharePoint shell.
    3. At the command prompt, browse to installer\scripts under the installation folder.
    4. Type one of the following commands:
If you use one certificate for all the servers in the farm, type:
.\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint"
Where:
·         Certificate thumbprint is the thumbprint of the CA signed certificate.
If you use a server specific certificate, type:
.\ReplaceDefaultCertificate.ps1 -certificateValidationMode ChainTrust -thumbprint "certificate thumbprint"
Where:
·         Certificate thumbprint is the thumbprint of the CA signed certificate.
  1. Start FAST Search Server 2010 for SharePoint on the administration server.
  2. On each non-administration server, follow these steps:
    1. On the Start menu, click All Programs.
    2. Click Microsoft FAST Search Server 2010 for SharePoint and then Microsoft FAST Search Server 2010 for SharePoint shell.
    3. At the command prompt, browse to installer\scripts under the installation folder.
    4. Type one of the following commands:
If you use one certificate for all the servers in the farm, type:
.\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint"
Where:
·         Certificate thumbprint is the thumbprint of the CA signed certificate.
If you use a server specific certificate, type:
.\ReplaceDefaultCertificate.ps1 -certificateValidationMode ChainTrust -thumbprint "certificate thumbprint"
Where:
·         certificate thumbprint is the thumbprint of the CA signed certificate.
  1. Start FAST Search Server 2010 for SharePoint on all non-administration servers.
The SharePoint Server where the Content SSA is running also needs a certificate that is signed by the same CA to feed documents to FAST Search Server 2010 for SharePoint:
  1. Install the CA signed certificate on SharePoint Server 2010 under Certificates(Local Computer)\Personal in the certificate store.
  2. Install the root CA certificate under Certificates(Local Computer)\Trusted Root Certification Authorities.
  3. Copy the script SecureFASTSearchConnector.ps1 from the FAST Search Server 2010 for SharePoint administration server to the SharePoint Server 2010 server that is running the FAST Search connector. The SecureFASTSearchConnector.ps1 script can be found in the installation folder, under \installer\scripts\.
  4. On the SharePoint Server 2010 server that is running the FAST Search connector, follow these steps:
    1. On the Start menu, click All Programs.
    2. Click Microsoft SharePoint 2010 Products.
    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.
    4. Browse to the directory where you copied the SecureFASTSearchConnector.ps1 script and run it, replacing the necessary parameters with the values for your environment. The domain and user name should reflect the details of the user running the SharePoint Server Search 14 service (OSearch14):
      • If you know the thumbprint of your certificate, type the following command:
.\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" -ssaName "name of your content SSA" -username "domain\username"
      • If you do not know the thumbprint of your certificate, type the following command:
.\SecureFASTSearchConnector.ps1 -ssaName "name of your content SSA" -username "domain\username"
This command will return the thumbprint of the available certificates and a prompt asking whether you want to use the suggested certificate.
Enter y for yes, and then click Enter.
Multiple server deployments
If you have configured the FAST Search Content SSA to use more than one crawl component, you must install the same CA signed certificate on each SharePoint Server 2010 server that has a crawl component.
  1. Make sure that the server has a certificate installed that is issued and signed by the same Certificate Authority as the certificate on the host server of the FAST Search Content SSA. The certificate must be installed under Certificates(Local Computer)\Personal in the certificate store. The root CA signed certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities.
  2. Grant the Search Service Application account (the account under which the SharePoint Server Search 14 service (OSearch14) runs) access to the private key of the imported certificate.


References:
https://technet.microsoft.com/en-us/library/ff625722(v=office.14).aspx
https://technet.microsoft.com/en-us/library/ff381244(v=office.14).aspx#Replace_Default
http://technet.microsoft.com/en-us/library/ff625722(WS.1O).aspx
Posted by Labels: , , ,
Subscribe to: Posts (Atom)