Thursday, March 06, 2008

SharePoint MOSS 2007: Howto setup SSL for IIS 6 and configure Central Admin to use SSL


IIS 6 SSL certificate howto:
Command line for switching the Sharepoint Central Admin to use SSL:
note that SSL cant be setup in the Sharepoint/MOSS install wizard, you must use the command line tools.


If you want to remotely configure Sharepoint services via the Central Administrator site, Microsoft recommends that you use SSL to secure the connection. They just fail to tell you how to enable SSL for the central administrator site anywhere in the install wizard. Also, if you want to use MOSS content publishing features (pushing content from one Site Collection/farm to another using the Central Administrator) you should use SSL for your Central Administrator because that service sends authentication from server to server via the http protocol with every publish attempt.

This article just rehashes (and hopefully simplifies) what’s described in the resources listed above. I don’t go into any detail about creating a Certificate Authority or issuing the SSL certificate, I assume you already have one setup or use a service like Verisign.

Step by Step: Adding SSL to the Sharepoint Central Administrator site

1) Once Sharepoint or MOSS is installed on your target server, run the "Sharepoint Products and Technologies Configuration Wizard" to create the Central Administrator site as you normally would.

2) From the IIS manager (Start->Program files->Administrative tools-> IIS Manger) view the properties of the "SharePoint Central Administration v3" website

3) Generate an SSL certificate request (Directory Security->Secure Communications->Server Certificate) as shown below

4) Once the request is generated (as a .txt file) send that off to your certificate authority as described in the references section above. You’ll receive an SSL cert in return (from whoever manages the CA). Install the cert on the Central Administration IIS site as described above in the references section, but set the SSL port to something you will remember. In my examples, I use port 4444 as my SSL port.

5) Now that we have SSL setup in IIS, we need to tell SharePoint that the central admin is going to be using the new port and the SSL protocol. The only way to do this is from the command line on the webserver (and you must do this for every web server front end in your farm):

c>"%COMMONPROGRAMFILES%\microsoft shared\web server extensions\12\bin\stsadm" -o setadminport -p 4444 -ssl

6)At this point, I always restart the Central Administration website in IIS out of habit, though I don’t think it’s necessary. Once that’s done, you should be able to hit your central admin via SSL by going to http://<your server name or ip>:4444. Also, the command line operation updates the shortcut located in (start->program files->Microsoft office server->SharePoint 3.0 Central Administration), so you can use that to get the full url too.

Final thoughts
If you want to use your own in-house certificate authority, you should install your CA root certificate on every server that will need to access the Central Administration Site . For instance, if you have a staging server pushing content to a live server via the Central Administrator content publishing options in MOSS, you should install the CA root certificate on the staging server so that it can confirm the live server’s SSL cert is valid when it connects to deliver content via HTTPS.

No comments: