SharePoint Certificate Management
For many years the SharePoint on-premises administrator community has been frustrated and somewhat challenged with managing certificates to ensure that the communication between clients and servers is properly secured. In many cases, secure communication over SSL was just ignored on corporate intranets with administrators taking the stance that internally there are no concerns about malicious users or unencrypted communication being compromised. These days the threat posed by insecure communication is more recognized and administrators increasingly look to ensure their application and service are secured end to end regardless of the scenario.
SharePoint has always supported communication over Secure Sockets Layer (SSL) and, of course, Transport Layer Security (TLS), but the implementation was always, for want of a better phrase, hard to manage. Now with SharePoint Server Subscription Edition, Microsoft has finally made this simpler and easier to manage, providing a Central Administration settings panel as well as PowerShell cmdlets to manage certificates.
SharePoint has added support for managing your SSL certificates in Central Administration and PowerShell. Administrators will see a new Certificates section on the Security landing page of Central Administration and, within this section, there are links to Manage certificates, Configure certificate management settings, and View certificate files, as shown in Figure 1.
These administrator options are totally new for SharePoint Server Subscription Edition, providing one more compelling reason to upgrade to this version from earlier releases. (For more about upgrading from earlier releases, see this article from Brian Alderman.) As an aside, the Subscription Edition of SharePoint Server will be the only supported version after April 2024 and is considered the evergreen edition. Microsoft will supply continual updates to this version but will never release a new annually annotated edition.
Let’s review each section in the Administrator interface in turn before digging deeper into PowerShell.
Administrators will find that the Manage certificates page (as shown in Figure 2) is the main page for managing the certificates in a SharePoint farm. From this location, administrators have full access to all of the certificate management functionality, such as creating, renewing, viewing, importing, and exporting certificates. Administrators can filter on the expiry date and to which web application the certificates are assigned.
Configure Certificate Management Settings
The Configure certificate management settings panel allows the Administrator to configure various settings, such as the default organization information, and manage the thresholds for certificate health analyzer rule notifications.
View Certificates Files
The View certificate files panel lists the Certificate Signing Request files and certificate export files generated by SharePoint. From here, the Administrator can download these certificate files even if managing the Central Administration site remotely.
Now you’ve seen the new SharePoint Administration Site pages. What else is there? Well, as with most SharePoint Server administrative capabilities, PowerShell provides extra functionality in addition to the user interface-provided minimums.
Certificate Management for SharePoint Server Subscription edition with PowerShell
The management of SSL certificates has been a burdensome task for SharePoint administrators for many years. Now, with SharePoint Server Subscription Edition, the battle is finally one that favors the admins. In the rest of this article, I’ll look at the most common cmdlets needed to manage certificates in the farm.
Here’s a list of SSL Certificate management tasks that can be performed with the new SSL Certificate management PowerShell commands:
- Creating new certificates
- Finding/viewing certificates
- Exporting certificates
- Renewing certificates
- Renaming certificate-friendly names
- Moving certificates between certificate stores
- Importing certificates
- Assigning certificates to web applications
- Replacing a certificate assignment
- Removing certificates
- Set certificate default settings.
Creating a New Certificate
With SharePoint, it's possible to create SSL certificate requests through the New-SPCertificate PowerShell cmdlet. This is the initial phase of a three-step installation process for a new SSL certificate, which administrators who previously used the Internet Information Server interface will find familiar. Once generated, the certificate request is sent to a trusted authority for approval, and after approval, it can be added to the SharePoint Server certificate store.
An Example of the Process:
Creating the SSL Certificate is a three-step process:
- Create the SSL certificate request in SharePoint.
- Sign the SSL certificate request with a standalone CA server.
- Complete the SSL certificate request in SharePoint.
The code sample below creates a new certificate signing request specifying the organizational information, key algorithm and size, and path to the certificate signing request file that will be generated. The private key of this certificate will be exportable.
New-SPCertificate -FriendlyName "My SharePoint Certificate" -KeySize 2048 -CommonName sharepoint.onprem.com -AlternativeNames extranet.onprem.com, onedrive.onprem.com -OrganizationalUnit "My IT Department" -Organization "Me" -Locality "Redmond" -State "Washington" -Country "US" -Exportable -HashAlgorithm SHA256 -Path "\server\fileshare\Team Sites Certificate Signing Request.txt"
The example below creates a new certificate signing request using the farm's default organizational information, key algorithm, and size. The private key of this certificate will not be exportable. The certificate signing request file is stored in Central Administration from where it can be used on any server in the farm.
New-SPCertificate -FriendlyName "My SharePoint Certificate" -CommonName sharepoint.onprem.com -AlternativeNames extranet.onprem.com, onedrive.onprem.com
You can use the Get-SPCertificate cmdlet to find and report on existing certificates in the farm.
If no parameters are specified, the Get-SPCertificate cmdlet returns all certificates in the farm. However, it can also return a single certificate that matches the Identity parameter or multiple certificates that meet the filtering criteria of the optional parameters.
These examples of the Get-SPCertificate cmdlet show how it can be used to retrieve current Certificates but also query certificates for their validity periods.
Get-SPCertificate -DisplayName "My SharePoint Certificate"
This example gets all certificates in the farm with the display name " My SharePoint Certificate ".
Get-SPCertificate -InUse -DaysToExpiration 30
This example gets all certificates that are in use and will expire within the next 30 days.
SharePoint has the capability to export certificates into various file formats, including PFX (PKCS #12) files, P7B (PKCS #7) files, and CER files. PFX and P7B files can hold multiple certificates, which is beneficial for exporting a certificate chain from the end entity (leaf) certificate to the root certificate. However, only PFX files can hold private keys for certificates, which are required for assigning a server certificate to an IIS website. On the other hand, CER files can only hold a single certificate.
This example of the Export-SPCertificate cmdlet exports all dependent certificates for the certificate named “My SharePoint Certificate” to the certificates.pfx file stored on the designated fileshare. The $password parameter is used to provide the Certificate Export Password ensuring all keys can be properly exported.
Export-SPCertificate -Identity "My SharePoint Certificate" -Password $password -IncludeAllCertificatesInCertificationPath -Path "\server\fileshare\certificates.pfx"
The Renew-SPCertificate PowerShell cmdlet enables the renewal of SSL certificates in SharePoint. This involves creating a new certificate signing request using the properties of an existing certificate and is the initial phase of a three-step process. In a certificate renewal operation, when a certificate is imported, the -Replace switch parameter can be specified with the Import-SPCertificate cmdlet. This instructs SharePoint to automatically replace the certificate assignments of the renewed certificate with the new one.
To provide an example specific to this cmdlet, the following will renew the certificate named My SharePoint Certificate 2020 with a new one having the Friendly Name updated to say 2023. It also generates a signing request at the same time and uses the same organizational info as the original certificate.
Renew-SPCertificate -Identity "My SharePoint Certificate (2022)" -FriendlyName "My SharePoint Certificate (2023)" -Exportable -Path "\server\fileshare\My SharePoint Certificate Signing Request.txt"
To remove a certificate from SharePoint, you can use the Remove-SPCertificate cmdlet. This removes the certificate, along with any private key associated with it, from the Windows certificate store on all servers in the SharePoint farm and from the SharePoint configuration database. Removing a certificate in SharePoint is not allowed if it's assigned to a SharePoint object. To force the removal of a certificate, you need to override the default behavior. However, overriding the default behavior clears any existing assignments of the certificate.
Use the Remove-SPCertificate cmdlet to remove a certificate from SharePoint.
This example removes the certificate named My SharePoint Certificate from the SharePoint server farm and all private keys.
Remove-SPCertificate -Identity "My SharePoint Certificate"
At times, an administrator may have already imported new certificates into the SharePoint Server Farm and is planning to replace them during a specific time frame. In such cases, the Switch-SPCertificate cmdlet can be used to substitute the assignments of a certificate with a different one. SharePoint handles the replacement of all certificate usage automatically.
For instance, the following example will switch all assignments that use the My SharePoint Certificate (2022) to the certificate with the friendly name My SharePoint Certificate (2023).
Switch-SPCertificate -Identity "My SharePoint Certificate (2022)" -NewCertificate "My SharePoint Certificate (2023)"
Set Certificate Default Settings
SharePoint provides default settings for certificate management at the farm level. These default settings include properties for creating and renewing certificates, as well as setting thresholds for certificate health rules. To configure these default settings, the Set-SPCertificateSettings PowerShell cmdlet is used. An example of configuring certificate defaults is to set the organizational information for the company, which should be accurate and related to the domain registration for the corporation. By setting the defaults, administrators can ensure that they always match the approved defaults. For more information on setting defaults, please refer to the Microsoft Learn documentation for Set-SPCertificateSettings (SharePoint-Server).
SharePoint Server Subscription Edition provides a more efficient certificate management experience than previous versions and one that significantly simplifies the administrator’s tasks.
Certificates are used in many more scenarios than just encrypting website communication. I recommend that you gain a comprehensive understanding of certificates, not only for SharePoint but also for other scenarios too.