TLS certificates
A ShareAspace installation requires at least two TLS certificates :
- one for the Application server
- one for ShareAspace web / Reverse proxy (HTTPS) when deployed on the same machine
If External Extension(s) are used and installed on different machines, those need to be configured for HTTPS and therefore also use certificates.
Those certificates can be issued :
- by your corporation
- by a third party certificate authority (for an installation that needs to be accessible from the public internet for instance)
- manually using Windows PowerShell (we will give details for this below).
There are many different types of certificates. Any type of certificate will work as long as you can obtain their thumbprint to use in the various configuration files of the ShareAspace components :
Self-signedCertificate (i.e. for a test installation)DomainCertificate (i.e. for a corporate installation)RegisteredCertificate (i.e. issued by a third party authority, for an installation accessible from the public internet)- The application server and identity server certificates are not required to be third party certificates since those endpoints will never be exposed publicly.
No matter which method you use to get the certificates you should be able to obtain their corresponding thumbprint. Keep those in a safe place as you will need them in the various configuration files of the ShareAspace components as mentioned before:
| ShareAspace Component | FQDN | Certificate Thumbprint | File | |
|---|---|---|---|---|
 |
Host (application server) | sashost.machine.net | D8F6C2870C8A9B9DCF0FC072EC7B493B94043F02 | myCertificate0.cer |
 |
Web | sasweb.machine.net | C7F7A2870C8A9B9DCF0FC072EC7B493B94043F02 | myCertificate1.cer |
Note
When setting up a single machine installation of ShareAspace the host should not be exposed and there is no need to use the FQDN for the host. Instead, localhost can be used. The host will however still need a certificate.
Creating a Self-Signed certificate using Windows PowerShell
The following method is a quick way of getting a TLS certificate if you do not have one.
Note
This can also be done in Microsoft Internet Information Services (IIS) Manager.
Open Windows PowerShell as Administrator and type the following command:
New-SelfSignedCertificate -DnsName "<FQDN>" -CertStoreLocation "cert:\LocalMachine\My" -Subject "<Subject>"
Where:
<FQDN>is to be replaced by the fully qualified name of the server that will host the certificate (for instance: my.machine.net).<Subject>is to be replaced by an identifiable subject for the certificate (for instance: ShareAspaceHost).
This command will result into something like:
New-SelfSignedCertificate -DnsName "my.machine.net" -CertStoreLocation "cert:\LocalMachine\My"
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
FE332881279866C4B1715F45C9661B3D9EB7C7C7 CN=my.machine.net
Copy and keep the certificate thumbprint (i.e. here: FE332881279866C4B1715F45C9661B3D9EB7C7C7)
To save the certificate to a file, use the following Windows PowerShell commands:
$cert = (Get-ChildItem -Path cert:\LocalMachine\My\<THUMBPRINT>)
Export-Certificate -Cert $cert -FilePath myCertificate1.cer
Where <THUMBPRINT> is to be replaced by the copied thumbprint previously.
Warning
A self signed certificate must be registered in the Trusted Root Certification Authorities (including the keys) on all
machines that will make any kind of API calls to the IIS on that machine, including the machine to which the certificate applies.
Warning
A self signed certificate needs to be registered in the Trusted Root Certification Authorities on all
machines that will make any kind of API calls to the ShareAspace Host, including the machine to which the certificate applies.
Creating a domain certificate using IIS
Open the Microsoft Internet Information Services (IIS) Manager.
- On the menu on the left, click the root of your server. Then under the IIS group of icons, double click on Server Certificates.
- On the menu on the right, click Create Domain Certificate
- Fill the form and specially the Common Name as follow. Click Next
- Common name: FQDN example:
machine1.domain.net
- Common name: FQDN example:
- Fill the next form. Then
- Certification Authority: CA server example:
essesrv101-CA\essesrv101 - Friendly name: FQDN example:
machine1.domain.net
- Certification Authority: CA server example:
- If the certification authority server has issued the domain certificate correctly you should see it in the list of Server Certificates displayed in IIS.
- Double click on the issued certificate, click on Details tab, scroll-down and click on Thumbprint, copy the value and keep it.
- Save the certificate to a
.cerfile by clicking on Copy to File ... and following the wizard.
Warning
When copying the thumbprint there is a hidden leading character that must be removed. You will also have to remove all spaces within the thumbprint.
Note
Certification authority server
To be able to create a domain certificate on a Windows Server you need to point to a machine that is a Certificate Authority. Usually there is already one in big corporation but if you don't have one, your installation is most likely for testing purpose and you can therefore use a self-signed certificate.
If you really want to create a domain certificate, you can give the role of Certification Authority to one of your servers as far as it is accessible from the machine the domain certificate will be created on.
The documentation for adding this type of role to a Windows Server can be found easily on the internet.
Here is a quick description on how to set a server as a Standalone Certification Authority
Choose the Windows Server that you want to give it the role of Certificate Authority and follow the steps below:
- Open Server Manager, click Add Roles and Features, click Next three times, and click Active Directory Certificate Services. Click Add Features if asked. Click Next three times.
- On the Select Role Services page, click Certification Authority. Click Next.
- On the Confirm Installation Selections page, click Install.
- When the installation is done, click Close.
- On the Server Manager you will receive a Notification that indicates that a Post-deployment Configuration is required for AD CS, open it
- On the Credentials page, select a local administrator. Click Next.
- On the Role Services page, click Certification Authority. Click Next.
- On the Setup Type page, click Standalone CA. Click Next.
- On the CA Type page, click Root CA. Click Next.
- On the Private Key page, click *Create a new private key. Click Next.
- On the Cryptography for CA page, select a cryptographic service provider, key length, and hash algorithm (this can be left at the default values). Click Next.
- On the Configure CA Name page, create a unique name to identify the CA. Click Next.
- On the Set Validity Period page, specify the number of years or months that the root CA certificate will be valid. Click Next.
- On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. Click Next.
- On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Configure and wait until the setup process has finished. Click Close.
Configuring WebSite to use TLS/HTTPS in IIS
This procedure assumes that it is executed on a Windows Web server type of machine according to the specification given here and where an TLS certificate for the Web has been already registered.
Open the Microsoft Internet Information Services (IIS) Manager.
- On the menu on the left right-click the Web site (Default Web site) for which you want to configure TLS communication, and then click Edit Bindings.... If HTTPS is already on you should see it, then either edit it or close the window.
- If HTTPS is not already on, then click the Add button and set the following fields:
- Type = https
- IP address = All Unassigned
- Port = 443
- SSL certificate = choose the registered certificate corresponding to the web machine above.
- Click Ok and then Close.