Sitecore 9: Create Certificate for Server 2012 and Windows 8.1
A known issue of the Sitecore 9 installation is the creation of a Self-Signed-Certificate for XConnect. The provided solution with “xconnect-createcert.json” is not working on Windows Server 2012 & Windows 8.1
The workaround in the documentation for Sitecore 9 Update-1 & 2 is to create the certificate manually.
Important When you install the xConnect configurations on IIS 8.5 - Windows 2012 R2 or Windows 8.1, you cannot use the xconnect-createcert.json configuration file to generate a self-signed client certificate for xConnect. You must provide a certificate for the installation Sitecore 9u2 documentation
If you install Sitecore 9 once or twice it is ok. But it is a pain if you have to install it more often.
So, I created my own powershell script to create a Self-Signed-Certificate.
Keytool to create certificate
As a part of the solr installation you must install Java Runtime Environment (JRE). There you have the keytool.exe which I used to create the certificate.
This is what I used: Java jre8 downloads
The Keytool is located under “C:\Program Files\Java\jre1.8.0_151\bin\keytool.exe” or in the Environment Variable “JAVA_HOME” when you installed Java as recommended.
My function to create the certificate looks like this:
function Create-Key($KeyToolPath, $KeyName, $CertPassword)
{
$keytoolOK = Test-Path $KeyToolPath
if ($keytoolOK)
{
$cmdCreate = "& '$KeyToolPath' -genkeypair -alias " + $KeyName + " -keyalg RSA -keysize 2048 -keypass " + $CertPassword +" -storepass " + $CertPassword +" -validity 9999 -keystore " + $KeyName + ".keystore.jks -ext SAN=DNS:" + $KeyName + ",IP:127.0.0.1 -dname 'CN=" + $KeyName + ", OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country' -noprompt *>&1"
$Create = Invoke-Expression -Command $cmdCreate -ErrorVariable KeyToolStdOut -OutVariable KeyToolStdErr -ErrorAction Continue
$cmdConvert = "& '$KeyToolPath' -importkeystore -srckeystore " + $KeyName + ".keystore.jks -destkeystore " + $KeyName + ".keystore.p12 -srcstoretype jks -deststoretype pkcs12 -keypass " + $CertPassword +" -storepass " + $CertPassword +" -srcstorepass " + $CertPassword +" -noprompt *>&1"
$Convert = Invoke-Expression -Command $cmdConvert -ErrorVariable KeyToolStdOut2 -OutVariable KeyToolStdErr2 -ErrorAction Continue
}
else
{
throw 'Keytool is not available'
}
} It will create 2 files in C:\certificates\… or wherever you have set the “CertPath” to.
Import the certificate
After I created the certificate I had to import it into my Windows. For this I used the .Net library System.Security.Cryptography.X509Certificates. With this library I was able to import the certificates to the store My/localmachine and Root/localmachine.
Below is the function which imports the certificate to the stores:
function ImportEASCert($strCertPath, $strCertPass)
{
$fOk = Test-Path "$strCertPath"
if ($fOk)
{
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$store = New-Object system.security.cryptography.X509Certificates.X509Store "My", "localmachine"
$storeRoot = New-Object system.security.cryptography.X509Certificates.X509Store "Root", "localmachine"
$absolutePfxFilePath = Resolve-Path -Path $strCertPath
Write-Host "Importing store certificate '$absolutePfxFilePath'..."
try
{
$cert.Import($absolutePfxFilePath, $strCertPass, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"Exportable, PersistKeySet")
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$storeRoot.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($cert)
Write-Host "Added Certificate to My/LocalMachine"
$storeRoot.Add($cert)
Write-Host "Added Certificate to Root/LocalMachine"
$cert
$store.Close()
}
catch
{
throw "Could not Import certificates"
}
}
else
{
throw "Certificates not available in $CertPath"
}
} Call the script
In the install.ps1 script from SIF you have a part like this:
$certParams = @{
Path = "C:\myinstallpath\xconnect-createcert.json"
CertificateName = "xConnectCollectionClient"
}
Install-SitecoreConfiguration @certParams -Verbose Replace it with:
. c:\Location of the script\certInstall_srv2012.ps1
####################################################
#Change the value of this Params for your environment
####################################################
$certParams = @{
CertPath = "C:\certificates\"
KeyTool = "C:\Program Files\Java\jre1.8.0_151\bin\keytool.exe"
prefix = "Test123" #or use the $prefix from SIF install script
Password = "secret"
}
####################################################
$CertificateName = Create-SslCertification $certParams Use the $CertificateName for XConnectCert/SSLCert in the part of #deploy xconnect instance and #install sitecore instance In the SIF install script to provide the installed certificate like this:
#deploy xconnect instance
$xconnectParams = @{
Path = "$PSScriptRoot\xconnect-xp0.json"
Package = "$PSScriptRoot\Sitecore 9.0.2 rev. 180604 (OnPrem)_xp0xconnect.scwdp.zip"
LicenseFile = "$PSScriptRoot\license.xml"
XConnectCert = $CertificateName
SSLCert = $CertificateName
...
#install sitecore instance
$sitecoreParams = @{
XConnectCert = $CertificateName
... Download
Download the full script certInstall_srv2012.ps1
This script helps us a lot because we and many of our customers have Server 2012 R2. I hope it helps you also for the installation, so that you don’t have to worry about the certificates for xconnect anymore.
©viu AG
Imprint