search cancel

Updating expired SSL certificates for the Virtual Hosts on the Single Sign-On Agent for SharePoint 2010/2013

book

Article ID: 41830

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Introduction:

The R12.52 SP1 Agent for SharePoint is built upon the Single Sign-On Access Control Gateway (fka Secure Proxy Server) which consists of an Apache Web Server, the mod_jk connector, and a TomCat proxy-engine. SSL communication can be configured for the Apache Web Server (browser to Apache), for TomCat when hosting Web Applications (ClaimWS), and for Tomcat acting as the proxy (Tomcat to back-end Server). This article will discuss updating expired SSL certificates for the Apache Web Server Virtual Hosts.

 

Question:

How can I update the expired SSL certificates for my VitualHosts on the R12.52 SP1 Single Sign-On Agent for SharePoint 2010/2013?

 

Environment:

R12.52 SP1 Single Sign-On Agent for SharePoint 2010/2013

Answer: 

The steps to update the expired SSL certificates for your VirtualHosts on Apache for the Single Sign-On Agent for SharePoint 2010/2013 depend on if the expired certificates are Self-Signed or Signed by a RootCA.

 

Self-Signed Certificate

1.) Open a command-line window and navigate to the "C:\CA\Agent-for-SharePoint\SSL\bin" directory.

 

2.) Generate a new Self-Signed certificate utilizing the existing Private Key. Your existing Private Key should be located in the "C:\CA\Agent-for-SharePoint\SSL\keys" directory on Windows. Please check for the location for your Private Key in the "C:\CA\Agent-for-SharePoint\httpd\conf\extra\httpd-ssl.conf" file as defined by the "SSLCertificateKeyFile" directive for the associated VirtualHost. Following is an example command using OpenSSL to generate a new Self-Signed Server certificate (server.crt) based on the existing Private Key (server.key).

 

ex. openssl req -new -x509 -key ..\keys\server.key -out server.crt -days 365 -config openssl.cnf

 

3.) Copy the resultant certificate into the "C:\CA\Agent-for-SharePoint\SSL\certs" directory replacing the expired certificate if the new certificate file name is the same as the previous expired certificate. If the new certificate was given a new name, then you will need to update the "SSLCertificateFile" directive for the associated VirtualHost in the "httpd-ssl.conf" file to point to the new certificate.

 

Certificate signed by a RootCA

1.) Open a command-line window and navigate to the "C:\CA\Agent-for-SharePoint\SSL\bin" directory.

 

2.) Generate a new Certificate Signing Request (CSR) based on the existing Private Key. Your existing Private Key should be located in the "C:\CA\Agent-for-SharePoint\SSL\keys" directory on Windows. Please check for the location for your Private Key in the "C:\CA\Agent-for-SharePoint\httpd\conf\extra\httpd-ssl.conf" file as defined by the "SSLCertificateKeyFile" directive for the associated VirtualHost. Following is an example command using OpenSSL to generate a new Certificate Signing Request (CSR) based on the existing Unencrypted Private Key.

 

ex. openssl req -config openssl.cnf -new -key ..\keys\server.key -out ..\keys\server.csr

 

3.) Enter the values as prompted. The system generates a certificate request with the certificate file name and a request number.

 

4.) (Optional) Record the file name and Certificate Signing Request for the future reference.

 

5.) Submit the Certificate Signing Request to the Certificate Authority.

 

6.) Download the certificate and RootCA certificates from the Certificate Authority.

 

7.) If the certificate was signed by a new RootCA, copy the RootCA certificate and any intermediary RootCA certificate into the "C:\CA\Agent-for-SharePoint\SSL\certs\ca-bundle.cert" file. Copy the entire PEM encoded certificate to include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. This allows the Server to present the full certificate chain to the browser.

 

8.) Copy the downloaded Server certificate to the "C:\CA\Agent-for-SharePoint\SSL\certs" directory replacing the expired certificate if the new certificate file name is the same as the previous expired certificate. If the new certificate was given a new name, then you will need to update the "SSLCertificateFile" directive for the associated VirtualHost in the "httpd-ssl.conf" file to point to the new certificate.

 

Environment

Release:
Component: SMSPA