다음을 통해 공유

Installation & validation of FAST Search certificates in SharePoint 2010

  • 아티클

When setting up certificates for the FAST Content SSA in SharePoint, the TechNet documentation calls for the use of SecureFASTSearchConnector.ps1 for initial installation, or manual steps for SharePoint crawl component hosts beyond the first. However, all steps can be done manually, and checked via PowerShell. The Content SSA's admin db has a certificate thumbprint stored (in the MSSConfiguration table), which all crawl components try to find in their Local Machine certificate store. To check this thumbprint:


      Get-SPEnterpriseSearchServiceApplication | ? {$_.SearchApplicationType -eq     "ExtendedConnector"    } | Get-SPEnterpriseSearchExtendedConnectorProperty -Identity     "Middleware:ssl-cert"  
      To set this thumbprint:  
   
      $ssa = Get-SPEnterpriseSearchServiceApplication | ? {$_.SearchApplicationType -eq     "ExtendedConnector"    }  
   
      $ssa.ExtendedConnectorProperties[    "Middleware:ssl-cert"    ] =     "95E407F4F55C2F2D05D2E5414C3C61B1"  
   
      $ssa.Update()

Once the right thumbprint is in use, the certificate type and private key access (for the OSearch14 service user) can be validated. There are some requirements for these certificates that are not listed in the TechNet article - the certificate must use RSA, and the certificate must have the MachineKeySet flag enabled, since the Content SSA only checks %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\ for the private key. Additionally, the certificate will not be accessible by PowerShell and .NET if it is not accessible through the Cryptographic Service Provider (CSP), e.g. if it's using the CNG Key Storage Provider, it will not work.

The validity (and private key permissions) of a certificate with a particular thumbprint can also be checked with PowerShell, by passing the thumbprint to the below script:

BEGIN {
  $keystore = "Cert:\LocalMachine\My\"
  $keypath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
}
  
PROCESS {
  $keythumb = $_.toUpper()
  if (test-path $keystore$keythumb) {
    $keyinfo = (gci $keystore$keythumb).PrivateKey.CspKeyContainerInfo
    $keyname = $keyinfo.UniqueKeyContainerName
    $keyalgo = $keyinfo.ProviderName 
    if ($keyalgo -NotMatch "RSA") {
      write-output "Certificate does not use RSA SChannel Cryptographic Provider!`n"
      exit
    }
    write-output "RSA certificate found in LocalMachine store; checking for private key in MachineKeys next`n"
  } else {
    write-output "Certificate not found in LocalMachine store!`n"
    exit
  }
  
  if (test-path $keypath$keyname) {
    $acl = get-acl $keypath$keyname | select -expand access | select -expand identityreference
    write-output "Private key found in MachineKeys with these principals granted access: $($acl -join ', ')`n"
  } else {
    write-output "Private key not found in MachineKeys; review key storage flags as per http://support.microsoft.com/kb/950090`n"
    exit
  }
}

E.g. this could be run as "thumbprint" | .\validate.ps1