Step 1 – Creating High Trust Certificate

Published by Mohit Agrawal on

This is first step for token generation. We need to create a certificate for which access token is generated.

For this you can create a self – signed certificate. Easiest way to create a self signed certificate is from IIS. Here we will discuss 2 approach.

  • Creating certificate from IIS
  • Using PowerShell this involves creating of Local Root Authority certificate also

You can use any one of them to generate certificate. In later parts, If you choose first approach some scripts might not needed.

Path1 – Creating certificate from IIS 

  • Open you IIS
  • Click on server/machine name
  • Go to Server Certificates
  • On the right side you get Option to “Create Self Signed Certificate”
  • Click in “Create Self Signed Certificate” link
  • In popup provide Friendly name. for eg. “HighTrustTokenCert
  • Select Certificate Store as “Personal”
  • Click OK.

Once completed you can see your certificate in all Server Certificate List.

 

Path 2 – Using PowerShell to create self sign certificate with local Root Authority

In this, we will be creating certificate with chain i.e. the self signed certificate has a valid Root Authority and our certificate is then coming from that Root Authority. This the general behavior when we see PROD environments.

Since we working on local machine and creating is root authority so going on we will saying this Local Authority as “LocalRootCA“. Do not get confused by name in PROD environment this is either is Valid CA or Company CA.

Open Powershell as Admin and run the below ps commands.

$localRootCA = New-SelfSignedCertificate -Certlocation "Cert:\localmachine\my" -Type Custom -Subject "LocalRootCA" -keySpec Signature -KeyUsageProperty Sign -KeeyUsage CertSign

This command will generate a certificate as “LocalRootCA” in your Local Machine -> Personal Folder ( we will check this later)

Now our LocalRootCA is created. we need to create another certificate which is inherited from this LocalRootCA. for this run below PS

New-SelfSignedCertificate -Certlocation "Cert:\localmachine\my" -Type Custom -Subject "HighTrustTokenCert" -keySpec Signature -Signer $localRootCA

Above step will create new certificate as HighTrustTokenCert for which the Issuer is LocalRootCA 

 

Steps to Newly Generated Validate Certificates

  • Click on Windows Icon
  • Search for “MMC” (mmc Run Command)
  • In Console Root,  Go to Files – > Add/Remove Snap In
  • Select Certificates for Local Computer -> OK
  • You can see different folders for Certificate for Local Computer
  • Go to Personal – > Certificates
  • Here you can see certificate for local machine. You can see your newly created Certificate also.
  • Double Click on “HighTrustTokenCert” and check whether certificate is valid or not. You can click on “Certification Path” too

If you have not done any steps other then above said. You generally see a Red Cross sign stating “Certificate is not Valid as its Root Authority not found as Trusted”. You need to follow below to resolve this issue.

  1. Double click on “LocalRootCA” certificate which is present under “Personal” certificates folder
  2. LocalRootCA certificate details will open. By default “General” tab is open
  3. Go to “Details” tab.
  4. Down below, Click on button “Copy to Files” ( this will open export wizard)
  5. Click “Next” on Certificate Export Wizard
  6. Choose “No, do not export the private Key”. Click Next
  7. Choose DER encode binary x.509 (.CER)
  8. Click Next
  9. Browse for Path. In my case I added to “C:\Documents\LocalRootCA\LocalRootCA.cer”
  10. Click Next to finish Wizard

This will export LocalRootCA certificate to your drive. Now we need to import this certificate under “Trusted Root Certificates” folder in order to make locally created root authority as trused.

Steps to Import Root CA 

  1. Expand “Trusted Root Certificate” folder for Local Machine
  2. Right Click on Certificates folder
  3. You see option for All Tasks – > Import
  4. Click Import
  5. This opens Certificate Import Wizard
  6. Select Local Machine.
  7. Click Next
  8. In Browse, Select the LocalRootCA.cer file which we exported in previous steps
  9. Click Next to Finish Import

This will import LocalRootCA certificate under “Trusted Root Certificate” folder. This folder contains only those certificated where “Issue By” and “Issued To” is same. Check if there certificated which where “Issue By” and “Issued To” not match. If there are such certificates delete them.

Now you imported your LocalRootCA certificate in “Trusted Root” folder. Again go to Personal -> Certificated folder to verify “HighTrustTokenCert”

If you verify now, you will see that there is no error in certificate. Also if you check “Certification Path” the no error or cross present.

 

Conclusion

By doing above steps we have created a valid self signed certificate, which is later be used to generate token.

 

Checkout next post to on this topic “How to access SharePoint from WCF”

 

 3,564 total views,  5 views today

Care to Share?
      
Categories: SharePoint

Mohit Agrawal

Experience in SharePoint developement, migration.

0 Comments

Leave a Reply

Related Posts

SharePoint

Step 4 – Registering App in SharePoint & Providing Permission

In this article, we will learn to register SharePoint Add-In. Do not get confused by word SharePoint Add-In. App and Add-In points to same object. We will be using SharePoint UI Interface to register and Read more…

SharePoint

Step 3 – Adding certificate to SharePoint for token generation

By doing previous Steps, you have created your high trust certificate and export that into .CER and .PFX files. In this step, we will we registering our certificate (HighTrustTokenCert) into SharePoint, so SharePoint can generate Read more…

SharePoint

Step 2 – Exporting Certificate to .CER & .PFX

Once you created you created your self signed certificate you need to export it .CER and .PFX extension. These .CER & .PFX files are used in later parts to import these certificate Complete below step Read more…