none
Issues replacing self-signed certificate with certificate from my CA RRS feed

  • Question

  • I have successfully configured the FS4SP in my farm environment with self-signed certificate provided by FAST. However when I try to replace the certificate with the certificate from my CA, I get an error. Deployment technet article Manage certificates says that the following requirements should apply:

    • The subject name or subject alternative name (SAN) field must contain the fully qualified domain name (FQDN) of the server that the certificate is issued to. This is required to support queries over HTTPS and administration services over HTTPS.
    • The certificate that is issued to SharePoint Server 2010 must have the same issuer as the certificates that are issued to servers in the FAST Search Server 2010 for SharePoint farm.
    • The FAST Search Server 2010 for SharePoint user must have access to the private key of the certificate.
    • The certificate must support private key exchange.
    I got a general purpose certificate from my CA authority. I verified that I can install my certificate on the fast servers without issues. This implies that I have access to the private keys. The issuing authority is also the same for the certificate. However I could not understand the other 2 points.

    About the subject name, since its a general purpose certificate, i named it as FASTSearchCertificate and am using the same certificates across FAST and SP2010 servers. Is that correct?

    The last point defines that the certificate should support private key exchange. I did not understand this. Is there a way I can test my certificate is ok to use with FS4SP? I ran the command

     .\securefastsearchconnector.ps1 -certThumbprint "xx xx xx xx xx ..." -ssaName "my SSA" -username "domain\user"

    and it returned the error

    Connection to contentdistributor mydomain.com:13391 could not be validated. Check your certificates and ssa configuration and make sure that instance of FAST Search Server backend is running.

    Any help?

    Friday, July 27, 2012 9:05 AM

All replies

  • Your error is:

    .\SecureFASTSearchConnector.ps1 -certThumbprint "xx xx xx xx xx ..." -ssaName "my SSA" -username "domain\user"

    Returns: connection to contentdistributor mydomain.com:13391 could not be validated. Check your certificates and ssa configuration and make sure that instance of FAST Search Server backend is running.

    For me when using:

    .\SecureFASTSearchConnector.ps1 -ssaName "name of your content SSA" -username "domain\username"

    Returns: No valid certificate found to configure your SSA. Exiting.

    I ended up calling MS Support and they clued me in that they have had a problem before with using a Enhanced Key Usage of Client Authentication on the FAST SEARCH Server.  I went back and reviewed my certs and found that since I had used a preexisting certificate on the SharePoint Server hosting the SSA, the certificate only had the Enhanced Key Usage of Server Authentication defined.  It worked once I had a certificate using both Client and Server Authentication.

    So the certificate configuration is very important in this case and should be configure as follows (to my knowlege):

    Both certificates require the ability for key exchange.

    FAST Certificate:

    Enhanced Key Usage - Server Authentication (at least, could need Client Authentication if it needs it for other functions)

    Key Usage - Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

    SharePoint Server Certificate:

    Enhanced Key Usage - Server Authentication and Client Authentication

    Key Usage - Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

    Application Policies: Server Authentication and Client Authentication (not sure if this is a requirement, just what I used to get it going, I will test without this on the next stage, but don't have time just now.)



    • Proposed as answer by AbeSundstrom Thursday, February 7, 2013 3:53 PM
    • Edited by AbeSundstrom Thursday, February 7, 2013 3:55 PM
    Thursday, February 7, 2013 2:12 PM
  • I am brought to this thread by searching "The certificate that is issued to SharePoint Server 2010 must have the same issuer as the certificates that are issued to servers in the FAST Search Server 2010 for SharePoint farm"

    I also does not understand this very well, by default, sharepoint farm use self-signed certificate with "SharePoint Root Authority" as issuer. Does it mean that I need to change the three certificates in SharePoint folder in certificate store which are issued by SharePoint Root Authority as described in https://blogs.msdn.microsoft.com/besidethepoint/2010/11/30/sharepoint-2010-certificates-and-certificate-authority/   and  https://technet.microsoft.com/en-us/library/dn551378.aspx ?

    Wednesday, May 31, 2017 8:21 AM