Sitecore 9: Create Certificate for Server 2012 and Windows 8.1

A known issue of the Sitecore 9 installation is the creation of a Self-Signed-Certificate for XConnect. The provided solution with “xconnect-createcert.json” is not working on Windows Server 2012 & Windows 8.1

Lock in front of abstract futuristic electronic circuit board with binary code
Lock in front of abstract futuristic electronic circuit board with binary code

The workaround in the documentation for Sitecore 9 Update-1 & 2 is to create the certificate manually.

Important When you install the xConnect configurations on IIS 8.5 - Windows 2012 R2 or Windows 8.1, you cannot use the xconnect-createcert.json configuration file to generate a self-signed client certificate for xConnect. You must provide a certificate for the installation Sitecore 9u2 documentation

If you install Sitecore 9 once or twice it is ok. But it is a pain if you have to install it more often.

So, I created my own powershell script to create a Self-Signed-Certificate.

Keytool to create certificate

As a part of the solr installation you must install Java Runtime Environment (JRE). There you have the keytool.exe which I used to create the certificate.

This is what I used: Java jre8 downloads

The Keytool is located under “C:\Program Files\Java\jre1.8.0_151\bin\keytool.exe” or in the Environment Variable “JAVA_HOME” when you installed Java as recommended.

My function to create the certificate looks like this:

function Create-Key($KeyToolPath, $KeyName, $CertPassword)
{
    $keytoolOK = Test-Path $KeyToolPath
    if ($keytoolOK)
    {
      $cmdCreate = "& '$KeyToolPath' -genkeypair -alias " + $KeyName + " -keyalg RSA -keysize 2048 -keypass " + $CertPassword +" -storepass " + $CertPassword +" -validity 9999 -keystore " + $KeyName + ".keystore.jks -ext SAN=DNS:" + $KeyName + ",IP:127.0.0.1 -dname 'CN=" + $KeyName + ", OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country' -noprompt *>&1"

      $Create = Invoke-Expression -Command $cmdCreate -ErrorVariable KeyToolStdOut -OutVariable KeyToolStdErr -ErrorAction Continue


      $cmdConvert = "& '$KeyToolPath' -importkeystore -srckeystore " + $KeyName + ".keystore.jks -destkeystore " + $KeyName + ".keystore.p12 -srcstoretype jks -deststoretype pkcs12 -keypass " + $CertPassword +" -storepass " + $CertPassword +" -srcstorepass " + $CertPassword +" -noprompt *>&1"

      $Convert = Invoke-Expression -Command $cmdConvert -ErrorVariable KeyToolStdOut2 -OutVariable KeyToolStdErr2 -ErrorAction Continue
    }
    else
    {
        throw 'Keytool is not available'
    }
}

It will create 2 files in C:\certificates\… or wherever you have set the “CertPath” to.

Certificates

Import the certificate

After I created the certificate I had to import it into my Windows. For this I used the .Net library System.Security.Cryptography.X509Certificates. With this library I was able to import the certificates to the store My/localmachine and Root/localmachine.

Below is the function which imports the certificate to the stores:

function ImportEASCert($strCertPath, $strCertPass)
{
    $fOk = Test-Path "$strCertPath"
    if ($fOk)
    {
        $cert = New-Object  System.Security.Cryptography.X509Certificates.X509Certificate2

        $store = New-Object system.security.cryptography.X509Certificates.X509Store "My", "localmachine"

        $storeRoot = New-Object system.security.cryptography.X509Certificates.X509Store "Root", "localmachine"

        $absolutePfxFilePath = Resolve-Path -Path $strCertPath

        Write-Host "Importing store certificate '$absolutePfxFilePath'..."

        try
        {
            $cert.Import($absolutePfxFilePath, $strCertPass, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"Exportable, PersistKeySet")
            $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

            $storeRoot.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

            $store.Add($cert)
            Write-Host "Added Certificate to My/LocalMachine"
            $storeRoot.Add($cert)
            Write-Host "Added Certificate to Root/LocalMachine"
            $cert

            $store.Close()
        }
        catch
        {
            throw "Could not Import certificates"
        }
    }
    else
    {
        throw "Certificates not available in $CertPath"
    }
}

Call the script

In the install.ps1 script from SIF you have a part like this:

$certParams = @{
  Path = "C:\myinstallpath\xconnect-createcert.json"
  CertificateName = "xConnectCollectionClient"
  }
  Install-SitecoreConfiguration @certParams -Verbose

Replace it with:

. c:\Location of the script\certInstall_srv2012.ps1

####################################################
#Change the value of this Params for your environment
####################################################
$certParams = @{
CertPath = "C:\certificates\"
KeyTool = "C:\Program Files\Java\jre1.8.0_151\bin\keytool.exe"
prefix = "Test123" #or use the $prefix from SIF install script
Password = "secret"
}
####################################################
$CertificateName = Create-SslCertification $certParams

Use the $CertificateName for XConnectCert/SSLCert in the part of #deploy xconnect instance and #install sitecore instance In the SIF install script to provide the installed certificate like this:

#deploy xconnect instance
$xconnectParams = @{
Path = "$PSScriptRoot\xconnect-xp0.json"
Package = "$PSScriptRoot\Sitecore 9.0.2 rev. 180604 (OnPrem)_xp0xconnect.scwdp.zip"
LicenseFile = "$PSScriptRoot\license.xml"
XConnectCert = $CertificateName
SSLCert = $CertificateName
...
#install sitecore instance
$sitecoreParams = @{
XConnectCert = $CertificateName
...

Download

Download the full script certInstall_srv2012.ps1

This script helps us a lot because we and many of our customers have Server 2012 R2. I hope it helps you also for the installation, so that you don’t have to worry about the certificates for xconnect anymore.

VIU AGRennweg 388001 ZürichCH-Switzerland+41 44 500 96 76
Imprint