Request and Install a Policy Server Token Signing Certificate [3]

Agent for SharePoint Guide › Request and Install a Policy Server Token Signing Certificate › Request and Install a Policy Server Token Signing Certificate [3]

Request and Install a Policy Server Token Signing Certificate [3]

The Policy Server requires an SSL certificate to sign the WS-Fed token it sends to the SharePoint claims provider. This certificate verifies that the WS-Fed token is from the Policy Server and not an unauthorized third party.

The following graphic describes the process for requesting and installing a Policy Server signing certificate:

This flowchart shows how to configure your Policy Server to sign WS-Fed tokens

Follow these steps:

Note: This procedure provides one possible example of how to configure this feature using third-party tools. CA Technologies did not develop nor provide these tools. These tools are subject to change at any time by the third party without notice. Use this procedure as a guide for configuring this feature in your specific environment. The actual steps that are required in your situation could be different from the steps that are shown here.

Review the certificate locations.
If you are using a self-signed certificate, go to Step 8.
Important! Do not use self-signed certificates in production environments. We recommend using self-signed certificates in test environments only.
Create a certificate request for a server certificate on an IIS web server.
Submit your server certificate request to the certificate authority.
Wait for the Certificate Services administrator to approve your server certificate request.
Verify your approval and download your server certificate and certificate chain.
Complete your certificate request (using the same IIS web server and browser from Step 3).
Export your server certificate files to the computer hosting the Policy Server.
Add a certificate to Policy Servers and create a trust file.
Provide the certificate files to your CA SiteMinder® Agent for SharePoint owner.
Provide the certificate files to your SharePoint administrator.

Token-Signing Certificate Locations in Your SharePoint Environment

The following illustration shows the typical locations of the certificates that sign your WS-Fed tokens in your SharePoint environment:

Diagram showing SSL Certificates used to sign WS-Fed tokens and their locations in your SiteMinder and SharePoint Environment

Create a Certificate Request for a Server Certificate on an IIS Web Server

Requesting a certificate is the first step in the process of creating a Policy Server signing certificate. Any IIS web server in your organization can request a certificate. Using an IIS web server hosted on your Policy Server is more convenient, because it eliminates exporting the certificates to the Policy Server.

Follow these steps:

Note: This procedure provides one possible example of how to configure this feature using third-party tools. CA Technologies did not develop nor provide these tools. These tools are subject to change at any time by the third party without notice. Use this procedure as a guide for configuring this feature in your specific environment. The actual steps that are required in your situation could be different from the steps that are shown here.

Open Internet Information Services (IIS) Manager.
Under Connections, click the web server.
Double-click Server Certificates.
A list of certificates appears.
Under Actions, click Create Certificate request...
The Create Certificate wizard appears.
Complete the wizard. Save the certificate request to a local file. We recommend using a distinctive name that is easy to remember. For example, ps_wsfed_signing_certificate_request.txt
The certificate request is created.

Submit Your Certificate Request to a Certificate Authority

After generating your certificate request on an IIS web server, request a certificate from the web server in your organization hosting Active Directory Certificate Services.

Skip this procedure in any of the following situations:

If you do not use Active Directory Certificate services in your organization.
You typically submit your certificate requests to an independent, third-party certificate authority.

In any of the previous situations, follow your typical procedures instead.

Follow these steps:

Open your web browser.
Navigate to the following URL:
```
https://fully_qualilfied_domain_name_of_server_running_active_directory_certificate_services/certsrv
```
An example of such a URL is http://certificateauthority.example.com/certsrv.
Click Request a certificate.
The Request a certificate screen appears.
Click the advanced certificate request link.
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
The Submit a Certificate Request or Renewal Request screen appears.
Open the text file containing your certificate request with a text editor. Copy and paste the entire contents of the file into the Saved request field on the screen.
Click Submit.
The certificate pending screen appears.
Note the following items for future reference:
- Your request ID.
- Use the same browser to verify the status of your request within ten days.
The request is submitted.

Approve a Certificate Request using Active Directory Certificate Services

Certificate administrators approve or reject certificate requests. Certificate administrator privileges are separate from Administrator privileges. Not all users who have accounts on the computer hosting Active Directory Certificate services have sufficient privileges to approve or reject certificates.

If you have certificate administrator privileges on the web server to which your certificate was submitted, use this procedure. Otherwise, ask the certificate administrator to do this approval for you.

Follow these steps:

Log in to the web server hosting the Active Directory Certificate services using an account with Certificate administrator privileges.
Click Start, Administrative Tools, Certification Authority
The certsrv snap-in appears.
Click the name of the certification authority, and then click the pending request folder.
A list of pending certificate requests appears.
Right-click the request ID associated with the request for the Policy Server Signing certificate.
From the context menu, select All Tasks, Issue.
The certificate is issued.

Complete Your Certificate Request

After downloading your certificate (*.cer) file, complete your certificate request by adding the certificate to your IIS web server. Use the same IIS server from which you originally requested the certificate.

Follow these steps:

Open Internet Information Services (IIS) Manager.
The Start page appears.
Under Connections, click the web server.
Double-click Server Certificates.
A list of certificates appears.
Under Actions, click Complete Certificate Request...
The Complete Certificate Request wizard appears.
Complete the wizard by doing the following tasks:
1. Navigate to the *.cer file you downloaded previously.
2. Create a friendly name for the *.cer file.
The new certificate appears in the list of certificates.

Verify Your Approval and Download Your Certificate and Certificate Chain

Use the same IIS web server and web browser from which you submitted the request to verify the status of your certificate request. If your certificate is approved, download both the certificate and the certificate chain to your IIS web server.

Follow these steps:

Open your web browser you used to request your certificate.
Navigate to the following URL:
```
https://fully_qualilfied_domain_name_of_server_running_active_directory_certificate_services/certsrv
```
An example of such a URL is http://certificateauthority.example.com/certsrv.
Click View the status of a pending certificate request.
A list of your certificate requests appears.
Click the link for your certificate request.
The Certificate Issued screen appears. If it does not, contact the certificate administrator in your organization for more information.
Click the Base 64 Encoded option button.
Click all the following links and save the files to your web server:
- Copy Certificate. (downloads a *.cer file)
- Copy Certificate Chain (downloads a *.p7b file)
Your certificate is downloaded.

Export Your Policy Server Signing Certificate

Export your Policy Server Signing certificate with IIS manager. This export process creates a certificate file that you add to your Policy Server.

Follow these steps:

Open Internet Information Services (IIS) Manager.
The Start page appears.
Under Connections, click the web server.
Double-click Server Certificates.
A list of certificates appears.
Click your Policy Server signing certificate.
Your Policy Server signing certificate is selected.
Under Actions, click Export.
The Export Certificate dialog appears.
Do the following steps:
1. Click the ellipsis button and select a directory for your exported certificate.
  A browse dialog appears.
2. Enter a file name for your exported certificate.
3. Click Open.
  The browse dialog closes.
4. Enter a password for the exported certificate and confirm it.
  Note: You need this password to import this certificate into the central key store shared by the Policy Servers.
5. Click OK.
  The Export Certificate dialog closes and the certificate is exported.
Close the Internet Information Services (IIS) Manager.

Add a Policy Server Signing Certificate to Policy Servers and Create a Trust File

CA CA SiteMinder® requires a certificate to complete signing the WS-Token. CA CA SiteMinder® signs the WS-Token and sends it to SharePoint. To create a certificate for the WS-Token, import an existing certificate that contains both a private and a public key. After the certificate has been imported to the key store and been assigned an alias, export the certificate to your SharePoint Central Administration server to create a trust certificate.

This certificate often uses the Public-Key Cryptography Standards #12 (PKCS) format. In the following example, the password protects the PKCS#12 file.

Note: On Windows operating environments, a .pfx file is equivalent to a .p12 file.

Follow these steps:

Log on to the Administrative UI.
Add the Policy Server signing certificate to the Policy Servers with the following steps:
1. Click Infrastructure, X509 Certificate Management, Trusted Certificates and Private Keys.
  The trusted certificates and private keys screen appears.
2. Click Import New.
  The Import Certificate/Private key wizard starts.
3. Click the Browse button, navigate to the certificate that you want to import, and then click Next.
4. Enter the password with which you previously exported the certificate, and then click Next.
5. Highlight the text in the Alias field, and then type a new Alias for the certificate.
6. Click Next.
7. Review the information that is shown on the confirmation screen, and then click Finish.
  The Policy Server signing certificate is added the central key store on the Policy Servers. The Policy Server signing certificate appears in the list that is shown on the Administrative UI.
Create a trust certificate for your SharePoint central administration server with the following steps:
1. Locate the certificate from Step 2g in the list.
2. Click the Action drop-down list, and then choose Export.
  The Export Key Store Entry screen appears.
3. Verify that the following value appears in the format drop-down list:
```
X509-DER
```
4. Click Export.
5. Save the certificate to another location.
  The trust certificate for your SharePoint central administration server is created.
Copy the certificate from Step 3e to a directory on your SharePoint central administration server. This certificate is the trust certificate.
Copy any Certificate Authority Certificates in the certificate chain to a directory on your SharePoint central administration server.
Note: The Powershell script (which the SharePoint connection wizard creates) requires the paths to the following certificates on your SharePoint central administration server:
- The exported_certificate_file_name.cer (certificate) file.
- Any Certificate Authority certificates in the certificate chain.

More information:

Modify the PowerShell Script

Provide the Policy Server Signing Certificate Files to Your Agent Owner

The system hosting the CA SiteMinder® Agent for SharePoint needs a copy of Policy Server signing certificate. This copy helps the CA SiteMinder® Agent for SharePoint validate the WS-Fed tokens that the Policy Server sends. The certificate chain validates the Policy Server signing certificate.

Provide the following files to the administrator of the system that hosts the CA SiteMinder® Agent for SharePoint:

The Policy Server signing certificate file (.cer file) exported from the Policy Server.
Any Certificate Authority certificates in the certificate chain.

More information:

Install the Policy Server WS-Fed Token Signing Certificate on the Proxy Server

Provide the Certificate Files to Your SharePoint Administrator

The SharePoint central administration server needs a copy of Policy Server signing certificate. This copy helps the central administration server validate the WS-Fed tokens that the CA SiteMinder® Agent for SharePoint forwards from the Policy Server. The certificate chain validates the Policy Server signing certificate.

The SharePoint administrator must edit the PowerShell script that the SharePoint connection wizard generates to include references to these certificate files.

Provide the following files to the SharePoint administrator:

The Policy Server signing certificate file (.cer file) exported from the Policy Server.
Any Certificate Authority certificates in the certificate chain.

More information:

Configure the Trusted Identity Provider