Previous Topic: Request a Client CertificateNext Topic: Install the Client Authentication Certificate on your SharePoint Servers

Agent for SharePoint GuideAdvanced OptionsHow to Enable SSL for the Agent for SharePointVerify Your Certificate Approval and Install Your Client Authentication Certificate

Verify Your Certificate Approval and Install Your Client Authentication Certificate

The next step in creating a mutual trust relationship is verifying your approval and installing your client authentication certificate. Your IIS web server must have the client authentication certificate installed first before installing it on any SharePoint central administration or web front-end (WFE) servers.

Verify the status of your certificate request using the same IIS web server and Web browser from which you submitted the request. If your certificate is approved, install the certificate on your IIS web server first.

Follow these steps:

  1. Open the same Web browser that you used to request your certificate on your system hosting an IIS web server.
  2. Navigate to the following URL: 
    https://fully_qualilfied_domain_name_of_server_running_active_directory_certificate_services/certsrv

    An example of such a URL is https://certificateauthority.example.com/certsrv.

  3. Click View the status of a pending certificate request.

    A list of your certificate requests appears.

  4. Click the link for your certificate request.

    The Certificate Issued screen appears. If it does not, contact the certificate administrator in your organization for more information.

  5. Click the Install Certificate link.

    A confirmation dialog appears.

  6. Click Yes.

    The certificate is installed under My User Account on your IIS web server. Continue with the next step of installing the certificate snap-ins on your IIS web server.

Add the Certificate Snap-ins

The next step for creating a mutual trust relationship between the Claims WS and the CA SiteMinder claims provider is adding the certificate snap-ins.

The following accounts on your IIS web server require the certificate snap-in:

Follow these steps:

  1. Click Start, Run.

    The Run dialog appears.

  2. Type mmc in the Open field, and then click OK.

    The Microsoft Management console appears.

  3. Click File, Add/Remove Snap-in.

    The Add or Remove Snap-ins dialog appears.

  4. In the Available snap-ins list, click Certificates, and then click Add.

    The Certificates snap-in dialog appears.

  5. Select the Computer account option button, and then click Next.
  6. Select the Local computer option button, and then click Finish.

    The Certificates snap-in dialog closes. The Certificates snap-in appears in the Selected snap-ins list.

  7. Click Certificates n the Available snap-ins list, and then click Add.

    The Certificates snap-in dialog appears.

  8. Select the My User Account option button, and then click Finish.
  9. Click OK.

    The Add or Remove Snap-ins dialog closes. The certificate snap-ins are added.

  10. Save your instance of the console for future use. Otherwise, the snap-ins do not appear in the future.

Export the Client Authentication Certificate from the Current User Certificate Store

The next step for creating the mutual trust relationship is exporting the client certificate from the current user certificate store.

The Windows operating environment uses several different locations within the same computer to store certificates. These locations vary depending on the user account type. Installing your client authentication certificate on your IIS web server placed it in the following store:

Export the certificate from the current user certificate store so it can be added to the other certificate stores on the computer.

Follow these steps:

  1. Click Start, Run.

    The Run dialog appears.

  2. Type mmc In the Open field, and then click OK.

    The Microsoft Management console appears.

  3. Expand the console root folder, and then click "Certificates - Current User".
  4. Expand "Certificates - Current User/Personal", and then double-click the 'Certificates' folder corresponding to where the certificate is stored.

    A list of certificates appears.

  5. Right-click your client authentication certificate, and then select All Tasks, Export.

    The certificate export wizard opens.

  6. Export the certificate using the Base-64 encoded X.509 (.cer) option.

    The client certificate is exported. Note the location of the exported certificate. Continue with the next step of importing the certificate into the local computer certificate store.

Import the Client Authentication Certificate into the Local Computer Certificate Store

The next step for creating the mutual trust relationship is importing the client authentication certificate into the local computer certificate store.

Import the client authentication certificate into the following certificate store on your IIS web server.

Follow these steps:

  1. Copy the client authentication certificate that you exported from the current user store to a directory on your IIS web server.
  2. Click Start, Run.

    The Run dialog appears.

  3. Type mmc in the Open field, and then click OK.
  4. Expand Certificates (LocalComputer)
  5. Expand Personal.

    The certificates folder appears.

  6. Right-click the certificates folder, and then click All Tasks, Import.
  7. Import the certificate.

    The certificate appears.

  8. Double-click the client certificate. Verify that the General tab is selected.
  9. Note the value in the Issued to field. You need this name to register the endpoint for the claims search service.