Agent for SharePoint Guide › Advanced Options › How to Enable SSL for the Agent for SharePoint › Request a Client Certificate

Request a Client Certificate

A mutual trust relationship between the following components is required for secure communications:

• The SharePoint claims search service.
• The CA SiteMinder claims provider.

The first step in creating this relationship is requesting a client authenticate certificate. This certificate is installed on all SharePoint web front-end (WFE) servers. The client authentication certificate allows the ClaimsWS service to verify the identities of the WFE servers.

Several third-party tools are available for creating certificates. This procedure provides one possible example using Active Directory Certificate services and IIS 7.

If your organization uses different tools or procedures to create client certificates, use those tools or procedures instead.

If you already have a client authentication certificate, skip this procedure.

Follow these steps:

1. Open a Web browser (from a system running an IIS web server).
2. Navigate to the following URL:

   https://fully_qualilfied_domain_name_of_server_running_active_directory_certificate_services/certsrv
   

   An example of such a URL is http://certificateauthority.example.com/certsrv.

3. Click Request a certificate.

   The Request a certificate screen appears.

4. Click the advanced certificate request link.
5. Click the Create and submit a request to this CA.

   An Advanced Certificate Request form appears.

6. Complete the form, using the following examples as a guide:

   Name: SiteMinderClaimsProvider
   E-Mail: admin@support.example.com
   Company: Example
   Department: Support
   City: your_city
   State: your_state
   Country/Region your_country
   Type of Certificate Needed: Client Authentication Certificate
   Mark keys as exportable: ENABLED
   Friendly Name: SiteMinderClaimsProvider
   

   Note: Under the type of certificate needed drop-down list, verify that Client Authentication Certificate appears.

7. Click Submit.

   A confirmation dialog appears.

8. Click Yes.

   The request is submitted.

9. Note the following items for future reference:
   • Your request ID.
   • Verify the status of your request using the same browser within ten days.

Generate the Client Authentication Certificate

The next step in configuring a mutual trust relationship between the claims search service and the claims provider is generating the client authentication certificate.

The next step in protecting the ClaimsWS service is having a certificate authority process your request.

After the certificate authority receives your certificate signing request, they will process the request and will return the signed certificate.

Some organizations use third-party certificate authorities to sign their certificate requests. Other organizations could possibly have an internal group that operates a certificate authority.

The following procedure demonstrates the process for approving a certificate with Microsoft Active Directory Certificate services:

Follow these steps:

Certificate administrators approve or reject certificate requests. Certificate administrator privileges are separate from the Administrator privileges in the Windows operating environment. Not all users who have accounts on the computer hosting Active Directory Certificate services have sufficient privileges to approve or reject certificates.

Use this procedure if you have certificate administrator privileges. Otherwise, ask the certificate administrator in your organization to issue the certificate for you.

Follow these steps:

1. Log in to the web server hosting the Active Directory Certificate services using an account with Certificate administrator privileges.
2. Click Start, Administrative Tools, Certification Authority.

   The certsrv snap-in appears.

3. Click the name of the certification authority, and then click the pending request folder.

   A list of pending certificate requests appears.

4. Right-click the request ID associated with the request for the client certificate.
5. From the context menu, select All Tasks, Issue.

   The certificate is issued.

   Continue with the next step of downloading and importing the certificate.