Configure SSL for SharePoint 2013

In this tutorial I will show you how to configure SSL for SharePoint 2013.

Prerequisites:

1. IIS 8
2. SharePoint 2013
3. Windows Server 2012
4. HTTP Web Application on Port 80

Steps:

1. Create Self Signed Certificate on IIS 8
2. Import Self Signed Certificate to SharePoint Certificate store
3. Add Self Signed Certificate to trust management in Central Administration
4. Configure IIS Binding
5. Configure AAM
6. Notes
7. Issues

Note: Make sure to perform these steps with admin privileges.

Step 1: Create Self Signed Certificate on IIS 8

Open IIS Manager and then go to Server name and choose IIS Section “Server Certificates”

Click on Create Self-Signed Certificate... on Actions pane

Specify a name like “SharePointSelfSignedCert” and click Ok

Double click on this created Certificate and go to details Tab and click copy to File...

Click Next (Welcome…),

Select No, do not export the private key and click Next ,

Select DER encoded binary and click Next,

Specify the location for the certificate and Click Next and then finish (Imported).

Step 2: Import Self Signed Certificate to SharePoint Certificate store

Open Manage Compute Certificate on Windows Server 2012 and go to SharePoint node and then right click All tasks >> import …

Click Next and then specify the location of exported certificate in previous step and then Click Next,

Make sure Certificate store is SharePoint and Click Next and then finish (Exported)

Step 3: Add Self Signed Certificate to trust management in Central Administration

Go to Central Administration >> Security >> Manage Trust (to inform SharePoint to trust this certificate also).

And Click New

And a name and specify the location for the certificate and Click Ok.

Step 4: Configure IIS Binding

Go to IIS Manager and choose your web application and then click on Binding in Actions pane

Click Add..

Type: Https

SSL Certificate: SharePointSlefSignedCert (which created previously).

Click Ok.

Step 5: Configure AAM

Go Central Administration >> Alternate Access Mapping and Choose your web application

And click on Edit Public URLs and then add HTTPS URL

And Click Save.

Now try to brows your site with HTTPS URL

 

 

 

 

Notes:

1. Don’t use Self-Signed Certification in production sites (you need to use commercial Certificates).
   https://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm
2. If you add the Self-Signed Certificate to Trusted Root Certification Authorities then Certification error will disappear .
3. IIS 8 and windows server 2012 introduce New Feature Called “Server Name Indication-SNI” which allows an IIS 8 to host multiple SSL sites and certificates on a single IP Address based on Host Headers.
   https://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
4. You can use URL Rewirte module in IIS 8 to redirect from HTTP to HTTPS or vice versa.
   https://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
   https://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/ 
5. SSL Certificates required for Federation Services.
6. Test the SSL implementation using https://www.ssllabs.com/ssltest/ and make changes as in this article https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Issues:

 

Issue #1: Mixed HTTP and HTTPS Content

If you login with HTTPS URL and then redirect the user to HTTP , the browser will ask the user again to login with HTTP URL.

Fix:

Go To Central Administration

Open Alternate Access Mapping (AAM)

Select your will application from the dropdown menu on top right

Click on Edit Public URLs and remove HTTPS URL

Click on Add Internal URLs and add HTTPS URL and select the same zone as HTTP URL

Comments

• Anonymous
  January 20, 2013
  Thanks Fady, Good Knowledge :)

• Anonymous
  January 21, 2013
  Good Post.

• Anonymous
  January 23, 2013
  Thanks Fadi

• Anonymous
  January 23, 2013
  بارك الله فيك يا فادي، الموضوع اكثر من رائع

• Anonymous
  April 13, 2013
  good information  good articel mounikasharepoint.blogspot.in/.../sharepoint-2010-and-sharepoint-2013.html

• Anonymous
  June 02, 2013
  Nice tutorial ! I'm stuck on step 3 when I open the certmgr ( I am using Windows Server 2008) it doesn't contain the node SharePoint. How to fix this?

• Anonymous
  June 07, 2013
  Make sure you open Certificates add on using Computer Account and not my user account.

• Anonymous
  July 25, 2013
  Great overview, thank you!

• Anonymous
  November 10, 2013
  Excellent Post. Thanks !!!

• Anonymous
  November 11, 2013
  great post - works perfectly apart from the apps :(

• Anonymous
  November 13, 2013
  Can one certificate used for multiple web applications?

• Anonymous
  November 14, 2013
  If It's a wildcard Certificate and all web applications share the same domain (*.abc.com) then you can configure them to use this certificate , but If It's not then you need A certificate for each web application and Dedicated IP address for each web application if It's not IIS 8 and Windows 2012. You can find more information in the following Ref: www.harbar.net/.../ssl.aspx www.iis.net/.../iis-80-server-name-indication-sni-ssl-scalability

• Anonymous
  November 23, 2013
  Very helpful thanks

• Anonymous
  December 30, 2013
  after I changed according to this article, I cann't access skydrive and newsfeed .how to solve this issue ?

• Anonymous
  December 31, 2013
  Hi Don_NJ , I don't think this issue related to SSL but try to check SharePoint Logs maybe you find something useful. Also try to run the below commands to enable OAuth authentication over HTTP $config = (Get-SPSecurityTokenServiceConfig)
  $config.AllowOAuthOverHttp = $true
  $config.Update()

• Anonymous
  January 09, 2014
  Hi Fadi, After performing all the steps as you mentioned, shouldn't I get prompted for authentication? Or does it happen only when SSL is bought from trusted CA and does not happen in Self Signed Certificate.

• Anonymous
  January 10, 2014
  No relation between SSL Certification and Authentication , check if your web application is enabled with anonymous access or not.

• Anonymous
  January 19, 2014
  In my opinion the AAM configuration is incorrect:

1. You haven't extended the web application to "Internet" zone but you are setting it in AAM.
2. The most secure URL should be for default zone because it is the one used for rendering the URLs if mapping is not found. If you want to switch the web application to SSL (without extending web app), provide mapping like this: Internal URL | Zone | Public URL http://sps2013 | Default | https://sps2013 https://sps2013 | Default | https://sps2013 This will cause that when you access your web application with either HTTP or HTTPS, the links in the web will all render with HTTPS. If you want to use also HTTP to access your web application you can extend it with different URL.

• Anonymous
  March 12, 2014
  Thanks, this was very helpful!

• Anonymous
  March 19, 2014
  If anyone getting error on step 3 please use below powershell common $cert = Get-PfxCertificate -filepath "<Path of certifcate file with cer extension>" New-SPTrustedRootAuthority -Name "<Certifcate Friendly Name>" -Certificate $Cert

• Anonymous
  March 31, 2014
  Hi, I am really lost and I need a little help. On step 4, when I am configuring IIS Binding, I do clic into textbox Type and put "https" and after I do not see in textbox SSL certificate my own certificate. I have done every previous steps. I have bought a certificate .crt and I began on step 2. The CA gave me two file,one is called "gs_intermediate_ca" and the other "STAR_dominio_com" and I have done this process with the two certificates and the result is the same. Thank very much

• Anonymous
  March 31, 2014
  In step 1 : try to Complete Certificate Request instead of Create Self Signed Certificate so after you complete the wizard you will find your certificate list it under Server Certificates.

• Anonymous
  April 01, 2014
  Hi fadi, i'm about to purchase a individual ssl certificate for my sharepoint . The sharepoint is manage by an outsource vendor, my biggest concern is when SSL certificates is deploy, will it be any changes has to be done in the source code of the sharepoint application such as changing the link in the sourcecode from http to htpps. Because according to the vendor, it will takes a lot of change request  in the sharepoint source code and they charge will unreasonable price. Supposedly SSL is just  a communication between server and user right?

• Anonymous
  April 01, 2014
  The comment has been removed

• Anonymous
  April 02, 2014
  Contact your certificate vendor and explain the issue to him and maybe they will suggest to use wildcard certificate.

• Anonymous
  April 03, 2014
  Hi Dig Dang , No need to change anything from your source code because As you said SSL is just a communication matter and make to use  hyphen urls , for example /pages/test.aspx and don't use http://url/pages/test.aspx.

• Anonymous
  May 07, 2014
  The comment has been removed

• Anonymous
  June 25, 2014
  it deosn't work with me, every time when i import certificate in AAM it gives me error that the certificate is password protected. i want to know why its showing this error. please help me on this problem.

• Anonymous
  July 07, 2014
  I'm about a year and a half late to this party, but I completely agree with the earlier response by "eXavier_777" (Mon, Jan 20 2014 7:48 AM) in that your AAMs are incorrect (and manually modified from Central Admin without extending the Web App, which is even worse because it will cause inconsistencies for SP). He is exactly correct, so to reiterate (and by that, I mean copy/paste what he wrote)... If you want to switch the web application to SSL (without extending web app), provide mapping like this: Internal URL | Zone | Public URL http://sps2013 | Default | https://sps2013 https://sps2013 | Default | https://sps2013 This will cause that when you access your web application with either HTTP or HTTPS, the links in the web will all render with HTTPS. If you want to use also HTTP to access your web application you can extend it with different URL.

• Anonymous
  July 24, 2014
  I am getting error on step 3. When i import the certificate into AAM, it gives me error saying that certificate is password protected.

• Anonymous
  August 01, 2014
  bspender and eXavier_777, Specifically how do you confgure the mappings that way?  I can't figure out how to get mine to look like that using the web UI.

• Anonymous
  August 21, 2014
  I ve created a site and configured it with all the self signed certificates..everything just works fine..except for the last step...the https site doesnt open..it shows an error - HTTP unauthorized 404,,,,though i've logged in as the admin!!! pls help.

• Anonymous
  August 31, 2014
  Hi, Nice post. Can someone tell me, how to configure https for the web application that is running on different port than 80 and configure AAM?

• Anonymous
  November 05, 2014
  I am liking your post so far, came in off the Bing and am about to attempt this.

• Anonymous
  November 05, 2014
  The comment has been removed

• Anonymous
  November 19, 2014
  Any thoughts on this note . Note: strongly recommend to use Central Administration or PowerShell to extend the web application with port HTTPS instead of doing the manual HOST name entry IIS by adding a new URL in AAM like the below  method . Once you get the second IIS website , you can configure the SSL ................. blogs.msdn.com/.../how-to-enable-ssl-on-a-sharepoint-web-application.aspx

• Anonymous
  June 15, 2015
  HI i want to change our internet facing existing HTTP web application to HTTPS. so its already sharepoint 80 application on default zone. so if i extend web application to 443 port , how i will configure webapplication to open default on HTTPS

• Anonymous
  June 17, 2015
  HI Fadi, i did all steps and when i type my site with https in browser it working good, but how i open my site by default with https protocal, when i type mysite.com in browser it should open with https

• Anonymous
  January 20, 2016
  The comment has been removed