Manage certificates (FAST Search Server 2010 for SharePoint)

 

Applies to: FAST Search Server 2010

FAST Search Server 2010 for SharePoint uses several certificates for authentication and encryption purposes. The certificates are used both for communication between servers in a multiple server FAST Search Server 2010 for SharePoint farm, and between FAST Search Server 2010 for SharePoint and Microsoft SharePoint Server 2010.

Each server in a FAST Search Server 2010 for SharePoint farm potentially has three kinds of certificates which serve different functions and which must be configured (and replaced) separately:

  • General purpose certificate

    A self-signed FAST Search certificate (for test environments) or a certificate signed by a certificate authority (for production environments). The self-signed certificate should be replaced with a farm-wide or server specific CA signed certificate that supports the existing certificate infrastructure of the organization. The general purpose certificate is used for internal communication, administration services and to enable secure content feeding from SharePoint Server to FAST Search Server 2010 for SharePoint.

  • Query HTTPS certificate

    A server-specific certificate to encrypt query traffic that uses HTTPS. Only used on query servers that have HTTPS query traffic enabled.

  • Claims certificate

    A claims certificate to enable item level security trimming on queries. Only used on query servers.

This article describes the steps needed to replace these certificates because of, for example, expiration or revocation.

We highly recommend that you replace the default self-signed general purpose certificate with a CA signed certificate when you move your deployment from test to production.

In this section:

  • Self-signed general purpose FAST Search certificate

  • Certificates signed by a certification authority (CA)

  • Replacing the default self-signed certificate

  • Replacing the query HTTPS certificate

  • Replacing the claims certificate

Self-signed general purpose FAST Search certificate

During initial installation, FAST Search Server 2010 for SharePoint generates a self-signed certificate. The self-signed certificate is only meant to be used in test environments. There are several limitations to this default self-signed certificate:

  • It expires after one year from the time of configuration.

  • It provides limited security because it cannot be revoked. This could allow an attacker to spoof identities or insert data into connections if the private key was compromised.

  • It cannot be used to enable queries over HTTPS.

  • It cannot be used to enable administration services over HTTPS.

Certificates signed by a certification authority (CA)

To help achieve a high level of security in a production environment, we recommend that you use certificates signed by a common certification authority (CA) for FAST Search Server 2010 for SharePoint.

Your organization may have an existing public key infrastructure (PKI) that can issue these certificates. If your organization does not have an existing PKI, you can acquire certificates from a third-party certificate issuing authority. Your organization may also have its own business processes and tools to issue and manage CA signed certificates. There are no specific properties that the certificate must have, but there are some requirements that must be met. Authorization is done by matching the thumbprint of the CA signed certificate across servers and by checking that the certificate issuer is trusted.

The CA signed certificate must be installed on each server in a multiple server FAST Search Server 2010 for SharePoint farm.

The following requirements apply to each certificate:

  • The subject name or subject alternative name (SAN) field must contain the fully qualified domain name (FQDN) of the server that the certificate is issued to. This is required to support queries over HTTPS and administration services over HTTPS.

  • The certificate that is issued to SharePoint Server 2010 must have the same issuer as the certificates that are issued to servers in the FAST Search Server 2010 for SharePoint farm.

  • The FAST Search Server 2010 for SharePoint user must have access to the private key of the certificate.

  • The certificate must support private key exchange.

Replacing the default self-signed certificate

FAST Search Server 2010 for SharePoint includes a Windows PowerShell script that must be run on each server in the deployment to replace the default self-signed certificate. The script can perform two separate tasks:

  • Recommended: Configure FAST Search Server 2010 for SharePoint to use an existing certificate that is signed by a certification authority (CA) by supplying a thumbprint to an already installed certificate. See Replace the self-signed certificate with a certificate signed by a certification authority (CA)

  • Create a new self-signed certificate (with a one year expiration) and configure FAST Search Server 2010 for SharePoint to use the new certificate. See Replace the self-signed certificate with a new self-signed certificate.

Replace the self-signed certificate with a certificate signed by a certification authority (CA)

  1. Stop FAST Search Server 2010 for SharePoint on all servers in the farm, including the monitoring service.

  2. On each server in the FAST Search Server 2010 for SharePoint farm:

    1. Make sure that the new CA signed certificate is installed correctly:

      The CA signed certificate must be installed under Certificates(Local Computer)\Personal in the certificate store.

      The root CA signed certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities.

    2. Make sure that the FAST Search Server 2010 for SharePoint user has access to the private key of the certificate.

  3. On the FAST Search Server 2010 for SharePoint administration server, follow these steps:

    1. Find the thumbprint of the CA signed certificate.

      1. Open Microsoft Management Console. Click Start and then type MMC in the Search box. Click MMC under Programs.

      2. Expand the Certificates (Local computer) menu under Console Root.

        Optional: If the Certificates (Local computer) menu is not visible, the Certificates snap-in is not enabled. To enable the Certificates snap-in:

        1. Click File and then click Add/Remove Snap-in.

        2. Select Certificates from the list of Available snap-ins and then click Add.

        3. Select Computer account and then click Next.

        4. Select Local computer and then click Finish.

        5. Click OK in the Add or Remove Snap-ins menu.

      3. Expand the Personal folder and then click the Certificates folder. Double-click the CA signed certificate.

      4. Open the Details tab and then click Thumbprint.

    2. On the Start menu, click All Programs.

    3. Click Microsoft FAST Search Server 2010 for SharePoint and then Microsoft FAST Search Server 2010 for SharePoint shell.

    4. At the command prompt, browse to installer\scripts under the installation folder.

    5. Type one of the following commands:

      If you use one certificate for all the servers in the farm, type:

      .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint"
      

      Where:

      • certificate thumbprint is the thumbprint of the CA signed certificate.

      If you use a server specific certificate, type:

      .\ReplaceDefaultCertificate.ps1 -certificateValidationMode ChainTrust -thumbprint "certificate thumbprint"
      

      Where:

      • certificate thumbprint is the thumbprint of the CA signed certificate.
  4. Start FAST Search Server 2010 for SharePoint on the administration server.

  5. On each non-administration server, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint and then Microsoft FAST Search Server 2010 for SharePoint shell.

    3. At the command prompt, browse to installer\scripts under the installation folder.

    4. Type one of the following commands:

      If you use one certificate for all the servers in the farm, type:

      .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint"
      

      Where:

      • certificate thumbprint is the thumbprint of the CA signed certificate.

      If you use a server specific certificate, type:

      .\ReplaceDefaultCertificate.ps1 -certificateValidationMode ChainTrust -thumbprint "certificate thumbprint"
      

      Where:

      • certificate thumbprint is the thumbprint of the CA signed certificate.
  6. Start FAST Search Server 2010 for SharePoint on all non-administration servers.

The SharePoint Server where the Content SSA is running also needs a certificate that is signed by the same CA to feed documents to FAST Search Server 2010 for SharePoint:

  1. Install the CA signed certificate on SharePoint Server 2010 under Certificates(Local Computer)\Personal in the certificate store.

  2. Install the root CA certificate under Certificates(Local Computer)\Trusted Root Certification Authorities.

  3. Copy the script SecureFASTSearchConnector.ps1 from the FAST Search Server 2010 for SharePoint administration server to the SharePoint Server 2010 server that is running the FAST Search connector. The SecureFASTSearchConnector.ps1 script can be found in the installation folder, under \installer\scripts\.

  4. On the SharePoint Server 2010 server that is running the FAST Search connector, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft SharePoint 2010 Products.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. Browse to the directory where you copied the SecureFASTSearchConnector.ps1 script and run it, replacing the necessary parameters with the values for your environment. The domain and user name should reflect the details of the user running the SharePoint Server Search 14 service (OSearch14):

      • If you know the thumbprint of your certificate, type the following command:

        .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" -ssaName "name of your content SSA" -username "domain\username"
        
      • If you do not know the thumbprint of your certificate, type the following command:

        .\SecureFASTSearchConnector.ps1 -ssaName "name of your content SSA" -username "domain\username"
        

        This command will return the thumbprint of the available certificates and a prompt asking whether you want to use the suggested certificate.

        Enter y for yes, and then click Enter.

Multiple server deployments

If you have configured the FAST Search Content SSA to use more than one crawl component, you must install the same CA signed certificate on each SharePoint Server 2010 server that has a crawl component.

  1. Make sure that the server has a certificate installed that is issued and signed by the same Certificate Authority as the certificate on the host server of the FAST Search Content SSA. The certificate must be installed under Certificates(Local Computer)\Personal in the certificate store. The root CA signed certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities.

  2. Grant the Search Service Application account (the account under which the SharePoint Server Search 14 service (OSearch14) runs) access to the private key of the imported certificate.

Replace the self-signed certificate with a new self-signed certificate

  1. Stop FAST Search Server 2010 for SharePoint on all servers in the farm, including the monitoring service.

  2. On the administration server:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the command prompt, browse to installer\scripts under the installation folder.

    5. Type the following command:

      .\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true
      
    6. Enter a password for the certificate.

  3. Start FAST Search Server 2010 for SharePoint on the administration server.

  4. On each non-administration server:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the command prompt, browse to installer\scripts under the installation folder.

    5. Type the following command:

      .\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true
      
    6. Enter the password that you defined for the certificate on the administration server.

  5. Start FAST Search Server 2010 for SharePoint on all non-administration servers.

The new self-signed certificate will expire after one year.

If FAST Search Server 2010 for SharePoint is already added as a back-end for SharePoint Server 2010, you must also redo the steps in Configure SSL enabled communication under Create and set up the Content Search Service Application (FAST Search Server 2010 for SharePoint).

Multiple server deployments

If you have configured the FAST Search Content SSA to use more than one crawl component, you must import the new self-signed certificate to each SharePoint Server 2010 server that has a crawl component.

  1. Import the new FASTSearchCert.pfx certificate in the certificate store under Certificates(Local Computer)\Personal.

  2. Grant the Search Service Application account (the account under which the SharePoint Server Search 14 service (OSearch14) runs) access to the private key of the imported certificate.

Replacing the Query HTTPS certificate

This server-specific certificate is used to encrypt query traffic that uses HTTPS. For initial setup, see Enable HTTPS (optional).

Replace the query HTTPS certificate

To replace the query HTTPS certificate, follow these steps on each FAST Search Server 2010 for SharePoint query server:

  1. Import the new server-specific CA signed SSL certificate into the certificate store. The certificate must be saved under Certificates(Local Computer)\Personal.

    Grant the FASTSearchAdministrators group full access to the certificate, by using winhttpcertcfg or the Microsoft Management Console (MMC) Certificates snap-in.

    To grant access by using the MMC snap-in:

    1. Click Start, type mmc in the Search programs and files box, and then press ENTER.

    2. Right-click the certificate, click All tasks, and then click Manage Private Keys.

    3. Click Add, add the FastSearchAdministrators group and select Full control.

  2. Delete the previous certificate binding from baseport+286:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint.

    3. Right click Microsoft FAST Search Server 2010 for SharePoint shell and select Run as administrator.

    4. At the Windows PowerShell command prompt, type the following command(s):

      netsh http delete sslcert ipport=0.0.0.0:<baseport+286>
      

      Where:

      • <baseport+286> is the actual port number.
  3. Configure the query server to use the new certificate on baseport+286:

    1. At the Windows PowerShell command prompt, type the following command(s):

      netsh http add sslcert ipport=0.0.0.0:<baseport+286>  appid={a5455c78-6489-4e13-b395-47fbdee0e7e6} certhash=<Cert_Thumprint>
      

      Where:

      • <Cert_Thumbprint> is the thumbprint of the new certificate.

      • <baseport+286> is the actual port number.

In addition, if the new certificate was not signed by the same certification authority (CA) as the previous certificate, you must add the CA certificate to the SharePoint Server:

On SharePoint Server 2010:

  1. Enable a trust relationship in SharePoint Server for the SSL certificate(s) that you created for each FAST Search Server 2010 for SharePoint query server. Do this by importing the public certificate of the signing authority of the SSL Certificate(s) into SharePoint Server 2010:

    1. On the Start menu, click All Programs.

    2. Click Microsoft SharePoint 2010 Products.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the command prompt, type the following command(s):

      $trustCert = Get-PfxCertificate '<SSL_CA_Public_Cert>.cert'
      New-SPTrustedRootAuthority "FASTSearchHostQuerySSLCert" -Certificate $trustCert
      

      Where:

      • <SSL_CA_Public_Cert> is the name of the certificate from the signing authority of the SSL certificate(s)

Replacing the claims certificate

The claims certificate enables item level security trimming on queries. To replace this certificate, repeat the steps listed under Configure claims authentication.