Replace self-signed certificate in the Self-Service Portal

February 1, 2013 Posted by Alexander Axberg

This post will describe how to replace a standard self-signed certificate in the SSP portal with a certificate from a trusted source and correct defined subjectname to get rid of the certificate warnings every time your end-users access the portal.

We don’t want them to see this do we?

Certificate Warning

The first question you need to ask yourself is: What URL should my end-users use?

In this example we will use: https://portal.mycompany.com

 

The second question is: What computers will access the portal?

In most cases, the portal will only we available for internal use since it requires an AD-user to be logged on.

If it should be accessible from computers outside of the company network, you will need to buy a commercial certificate from an certificate provider that are trusted by most computers (VeriSign, DigiCert for example).

If your company has an internal Certification Authority-server and a PKI-infrastructure already in place, that would probably be the best solution to request a certificate from if only your Company computers will be accessing the portal.

(only the internal computers trust the Company CA-server)

 

When you are ready, you must begin with creating a certificate request. This request will contain all properties that the certificate will contain.

Open IIS Manager on the SSP server.

 

Select the servername in the left column, and then doubleclick Server Certificates in the right column.

2

 

Click Create Certificate Request… The wizard starts.

Server Certificates

 

Enter your company information here. The important part is Common Name, as this will reflect the domainname in your URL. If you are planning on buying a commercial certificate, it’s important that the other fields here matches your companys registered information.

Cert details

 

Change the bitlength to 2048 as this is the minimum accepted size many use today.

keysize

 

Select a location to save your certificate request to a file.

req file

 

You request is now saved to a file, and in the background a private key has been created on the server that will later be used in the certificate.

Now take that textfile to your certificate authority, they will use the content for producing a certificate. You will then receive a certificate with only a public key from you certificate authority. Take this file and copy it to the SSP server.

Now go back to your IIS Manger and click Complete Certificate Request…

Select the certificate file you recieved from you certificate authority and enter a friendly name. The friendly name is visible in the “Name” column in IIS Manager.

Click OK.

complete cert req

Now you might recieve an error message, however it’s a false alarm. If you refresh your IIS Manager you will see that the certificate has been added to the list.

 

Back in the IIS Manager, expand the Sites-container and select Service Manager Portal, and click Bindings.

Bindings

 

Select the https binding and click edit.

Select the new certificate

Repeat this process the same way for the binding on the site called: SCSMWebContentServer

 

In IIS, double-click on Application Settings for the Service Manager Portal-site.

application_setting

Update the SMPortal_WebContentServer_URL value to reflect the URL in the new certificate.

Click OK, Close

 

Open the file: C:\inetpub\wwwroot\System Center Service Manager Portal\ContentHost\web.config, and edit the 3rd row from the bottom to reflect your new URL:

<add key=”ContentHostAbsoluteUri” value=”https://SERVER:443/ContentHost” />

Recycle the Application Pool in IIS Manager called: ContentHost_appPool to reload the edited web.config-file

This will prevent you from getting errors when opening Knowledge Articles on the portal.

 

 

 

..and you are all done!

 

 

 

 

 

 

Some extra information if you are curious on the certificate request process:

When the request file is created, at the same time a private key for that upcoming certificate is created. You can see it if you open up mmc.exe, add the Certificate snap-in(Computer Store) and look under the Certificate Enrollment Requests.

private key

Here is the private key that just been created. They will later be merged together with the public key in the .cer file you recieved when you run the “Complete Certificate Request” process.

Windows stores all it’s private keys for computerbased certificates at: C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys

 

7 Responses to Replace self-signed certificate in the Self-Service Portal

  1. Tomas says:

    Thank you very much.

    Our SCSM installation was made by a 3rd party and our certificate expired yesterday. This helped me solve the problem!

  2. Sharbel says:

    Thank you for the detailed post.

    In my case the portal needs to be accessible from computers outside of the company domain network.

    Could you please advise the steps required to get a Certificate from DigiCert?
    I used to issue SSL from internal Domain CA.
    Which Certificate is suitable for ServiceManager portal? I can see my different types offered by DigiCert.

    Could you please point me to right direction?

    Your support is highly appreciated.

    Thank you.

    • Hi Sharbel,

      Yes you can absolutely use a DigiCert if publish the portal for computers outside the network.
      You can order a standard SSL certificate from DigiCert, using the CSR-textfile that is created in my post. You just upload it to DigiCert when you purchase the certificate and they will return a certificate to you that you can import into IIS, the same way described in the post.

      regards
      Alex

  3. Sharbel says:

    Thank you dear Alex for your kind reply,

    Sorry I didn’t understand “CSR-textfile” that you mentioned above.
    From where can I get it to upload it to Digicert?

    Best regards,
    Sharbel.

  4. Sharbel says:

    I generated the CSR-TextFile using DigiCert Util from SM Portal Server, is that ok?

    https://www.digicert.com/util/

    Thank you.

  5. Sharbel says:

    Thank you dear Alex,

    I would like to let you know that the certificate issue is solved finally 🙂
    I bought DigiCert Standard SSL and everything is working great!

    I have another question, I noticed that when I need to login to the SM Portal, I need to authenticate twice, first for Sharepoint I believe and the second for the WebContent, this is annoying for users.

    How can we make it to authenticate only once?

    Thank you in advance,

    Best regards,
    /Charbel.

  6. Hi Charbel,

    I’m glad to hear that you got it to work in the end.
    Well the login prompts is because the users are sitting outside the domain, and the Portal loads from 2 different websites (hence the 2 logins).
    To be able to solve this for the users outside the domain, you would have to use some kind of reverse Proxy to publish the Portal. Like the Forefront TMG Server for example.
    The Proxy will act as a man-in-the-middle between the client and the portal servers, request one set of credentials from the user and pass these on to the Portal and WebContent sites.
    It would be kind of like publish the Outlook Web Access described here:
    http://www.isaserver.org/articles-tutorials/configuration-general/publishing-exchange-2013-outlook-web-app-forefront-threat-management-gateway-tmg-2010.html

    regards
    Alex

Leave a Reply

Your email address will not be published. Required fields are marked *

*