Export (0) Print
Expand All

How to Create an SSL Certificate for Testing Service Provider Foundation

Updated: November 1, 2013

Applies To: System Center 2012 SP1 - Orchestrator

Service Provider Foundation requires that a Secure Sockets Layer (SSL) server certificate be configured for its website bindings. The Service Provider Foundation website is the endpoint for the Admin service and the Virtual Machine Manager (VMM) service that use Representational State Transfer (REST) and Open Data Protocol (OData) technology to communicate with clients and portal applications.

noteNote
If you are installing Service Provider Foundation 2012 R2, you do not have to use this procedure because you can select the Generate a self-signed certificate option in the setup wizard instead.

The certificate should conform to the following recommendations:

  • A self-signed certificate should be used only for testing purposes.

  • The fully qualified domain name (FQDN) should be specified for the certification path instead of ”localhost”.

  • A self-signed certificate should be placed in the personal or webhosting store.

There are several ways to create a self-signed certificate. The following procedure uses the makecert.exe (Certificate Creation Tool) tool to create a self-signed certificate that is signed with root authority. There are actually two certificates: a self-signed certificate with root authority that signs the self-signed certificate that Service Provider Foundation uses.

To create a self-signed certificate for SSL authentication

  1. Open a command prompt as Administrator.

  2. Run the following command to install a self-signed certificate with root authority in the personal or webhosting store of the local computer:

    makecert -pe -n "CN=TestRootCA" -ss personal -sr LocalMachine -sky signature -r "TestRootCA.cer"
    
  3. Run the following elevated command to create a new certificate that is signed by the test root authority certificate that you just created. Replace contoso.skyspace.com in the command with the actual FQDN of the server where you will install Service Provider Foundation. This is the only change that you must make to the command.

    makecert -pe -n "CN=contoso.skyspace.com" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "TestRootCA" -is personal -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 SPFTestCert.cer
    

You can now select your self-signed certificate in the Service Provider Foundation setup wizard on the Specify a Location for the SPF files page. The certificate name appears in the Certificate Name list with the FQDN as its name, for example, CN=TestRootCA(contoso.skyspace.com).

The certificate that is described in this topic should be not confused with a tenant's certificate that is used for claims-based authentication.

To verify the certificate configuration in IIS after installing Service Provider Foundation

  1. Run Internet Information Services (IIS) Manager.

  2. In the Connections pane, under Sites, right-click the SPF site, and then click Edit bindings.

  3. In the Site Bindings dialog box, select the HTTPS binding, and then click the Edit button.

  4. In the Edit Site Binding dialog box, the SSL Certificate should be set to the self-signed certificate that you created in the previous procedure.

See Also

-----
For additional resources, see Information and Support for System Center 2012.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft