Sitecore 9: Create Certificate for Server 2012 & Win 8.1

Lock in front of abstract futuristic electronic circuit board with binary code

A known issue of the Sitecore 9 installation is the creation of a Self-Signed-Certificate for XConnect. The provided solution with “xconnect-createcert.json” is not working on Windows Server 2012 & Windows 8.1

The workaround in the documentation for Sitecore 9 Update-1 & 2 is to create the certificate manually.

Important When you install the xConnect configurations on IIS 8.5 - Windows 2012 R2 or Windows 8.1, you cannot use the xconnect-createcert.json configuration file to generate a self-signed client certificate for xConnect. You must provide a certificate for the installationSitecore 9u2 documentation

If you install Sitecore 9 once or twice it is ok. But it is a pain if you have to install it more often.

So, I created my own powershell script to create a Self-Signed-Certificate.

Keytool to create certificate

As a part of the solr installation you must install Java Runtime Environment (JRE). There you have the keytool.exe which I used to create the certificate.

This is what I used: Java jre8 downloads

The Keytool is located under “C:Program FilesJavajre1.8.0_151binkeytool.exe” or in the Environment Variable “JAVA_HOME” when you installed Java as recommended.

My function to create the certificate looks like this:


function Create-Key($KeyToolPath, $KeyName, $CertPassword)
{
    $keytoolOK = Test-Path $KeyToolPath
    if ($keytoolOK)
    {
      $cmdCreate = "& '$KeyToolPath' -genkeypair -alias " + $KeyName + " -keyalg RSA -keysize 2048 -keypass " + $CertPassword +" -storepass " + $CertPassword +" -validity 9999 -keystore " + $KeyName + ".keystore.jks -ext SAN=DNS:" + $KeyName + ",IP:127.0.0.1 -dname 'CN=" + $KeyName + ", OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country' -noprompt *>&1"

      $Create = Invoke-Expression -Command $cmdCreate -ErrorVariable KeyToolStdOut -OutVariable KeyToolStdErr -ErrorAction Continue


      $cmdConvert = "& '$KeyToolPath' -importkeystore -srckeystore " + $KeyName + ".keystore.jks -destkeystore " + $KeyName + ".keystore.p12 -srcstoretype jks -deststoretype pkcs12 -keypass " + $CertPassword +" -storepass " + $CertPassword +" -srcstorepass " + $CertPassword +" -noprompt *>&1"

      $Convert = Invoke-Expression -Command $cmdConvert -ErrorVariable KeyToolStdOut2 -OutVariable KeyToolStdErr2 -ErrorAction Continue
    }
    else
    {
        throw 'Keytool is not available'
    }
}

It will create 2 files in C:\certificates\… or wherever you have set the “CertPath” to.

Certificates

Import the certificate

After I created the certificate I had to import it into my Windows. For this I used the .Net library System.Security.Cryptography.X509Certificates. With this library I was able to import the certificates to the store My/localmachine and Root/localmachine.

Below is the function which imports the certificate to the stores:


function ImportEASCert($strCertPath, $strCertPass)
{
    $fOk = Test-Path "$strCertPath"
    if ($fOk)
    {
        $cert = New-Object  System.Security.Cryptography.X509Certificates.X509Certificate2

        $store = New-Object system.security.cryptography.X509Certificates.X509Store "My", "localmachine"

        $storeRoot = New-Object system.security.cryptography.X509Certificates.X509Store "Root", "localmachine"

        $absolutePfxFilePath = Resolve-Path -Path $strCertPath

        Write-Host "Importing store certificate '$absolutePfxFilePath'..."

        try
        {
            $cert.Import($absolutePfxFilePath, $strCertPass, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"Exportable, PersistKeySet")
            $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

            $storeRoot.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

            $store.Add($cert)
            Write-Host "Added Certificate to My/LocalMachine"
            $storeRoot.Add($cert)
            Write-Host "Added Certificate to Root/LocalMachine"
            $cert

            $store.Close()
        }
        catch
        {
            throw "Could not Import certificates"
        }
    }
    else
    {
        throw "Certificates not available in $CertPath"
    }
}

Call the script

In the install.ps1 script from SIF you have a part like this:


$certParams = @{
  Path = "C:\myinstallpath\xconnect-createcert.json"
  CertificateName = "xConnectCollectionClient"
  }
  Install-SitecoreConfiguration @certParams -Verbose

Replace it with:


. c:\Location of the script\certInstall_srv2012.ps1

####################################################
#Change the value of this Params for your environment
####################################################
$certParams = @{
CertPath = "C:\certificates\"
KeyTool = "C:\Program Files\Java\jre1.8.0_151\bin\keytool.exe"
prefix = "Test123" #or use the $prefix from SIF install script
Password = "secret"
}
####################################################
$CertificateName = Create-SslCertification $certParams

Use the $CertificateName for XConnectCert/SSLCert in the part of #deploy xconnect instance and #install sitecore instance In the SIF install script to provide the installed certificate like this:


#deploy xconnect instance
$xconnectParams = @{
Path = "$PSScriptRoot\xconnect-xp0.json"
Package = "$PSScriptRoot\Sitecore 9.0.2 rev. 180604 (OnPrem)_xp0xconnect.scwdp.zip"
LicenseFile = "$PSScriptRoot\license.xml"
XConnectCert = $CertificateName
SSLCert = $CertificateName
...
#install sitecore instance
$sitecoreParams = @{
XConnectCert = $CertificateName
...

Download

Download the full script certInstall_srv2012.ps1

This script helps us a lot because we and many of our customers have Server 2012 R2. I hope it helps you also for the installation, so that you don’t have to worry about the certificates for xconnect anymore.

Stefan Busch

Coffee?

Do you want a different view on your IT topics? Join us for a coffee!

Imprint