All About Certificates

6/6/2020 Sitecore Sitecore Commerce SSL HTTPS Certificate

Getting out of SSL hell. This blog post will give you all the information you need to know about setting up certificates for your Sitecore site and generating your own SSL certs

OMG look how many ppl have commented

One of the main reasons I created this site is to write this blog post in specific. I recently got back from the SSL hell Sitecore threw me into (twice actually) and remained there until I was forced to learn all of the evil inner workings. Once I escaped scathered, disoriented and full of PTSD flashbacks (don't even say the words secure or encrypted to me), everything made complete sense in an beautiful/evil way.

So for those of you who are not totally familiar with how SSL certs are returned or even work (I am guessing you don't otherwise you wouldn't be reading this article) there is a specific store in CERTLM called the Trusted Root Certification Authorities. This store contains a list of root certificates you can get to generate your own SSL certs.

For example, there is an authority called DigiCert (you can see it in the image on the left). If you navigate to facebook.com, you will see their root certificate by DigiCert. Windows installs a default list of these authorities so most sites using https will come back as valid when you browse them. So if I delete that DigiCert out of the CA, and I go to browse facebook, I will get an error saying their certificate is invalid (don't try that on your local lol).

So when Sitecore decided to split everything out into separate sites in 9.0 and above (Identity Server, XConnect, BizFX, the commerce Solutions), they had to allow these sites to communicate with each other over https (possibly...most likely on different servers) but still trust each other. If all the certificates were self signed, they wouldn't trust each other. You would probably get some shitty error like "could not establish secure channel for ssl/tls with authority" or something like that.

So instead, Sitecore decided to generate their own Root Certification Authority and allow you to generate your own certificates based off that root. Pretty cool huh? I thought so...

But anyway, trusting the certificates alone may still not allow a trust relationship between the sites. For example, the Sitecore site (CM and CD) need to communicate with XConnect by providing a thumbprint which is set in the connection strings of the site. The commerce engines may have a thumbprint to the CM certificate. The XConnect services (Index Worker, Marketing Automation, and Search Indexer) store the thumbprint which must be shared on the XConnect web.config. The Identity server stores the thumbprint to its own certificate (don't know why but i wasted literal hours on that part).

TL;DR

Unfortunately, you still have to read a lot because this is a complex procedure (I know, reading is hard. Feel free to complain in the comments).

Image 1

Image 1

Image 2

Image 2

  1. Download this file http://idk-sitecore.com/files/All-About-Certificates/SitecoreCerts.ps1
  2. Create a folder called c:\certificates
  3. Run it. If you do not need the commerce certs, comment them out.
  4. Go to search on your computer and type in Manage Computer Certificates (I bolded Computer so you do not open Local Certificates)
  5. Install the Sitecore Development Root certificate in the Trusted Root Certification Authorities (refer to image 1)
    1. Right click on the big part of the window
    2. Go to All Tasks > Import
    3. Make the private key exportable
    4. The password is b unless you changed it in the script
    5. DO NOT INSTALL ANY OTHER CERTIFICATES IN THIS STORE!! You will get an SSL error and not know why and spend 20+ hours questioning your sanity and even your career. 
  6. Install all the other certificates in the Personal Store. You can repeat this process for all the servers your Sitecore sites are installed on. It does not matter. 

Okay, so this next part gets a little tricky. For each Sitecore site that communicates with another Sitecore site, the application pool user will need to have access to the certificate Below are the steps on how to grant a certificate access for a specific user

  1. Inside the CERTLM, expand the Personal tree.
  2. Navigate to the certificate you need to grant access to
  3. right click and go to All Tasks > Manage Private Keys
  4. Find the user and give them Full Access

So look at Image 2. Take note of the users associated with the application pool. Sometimes it is the ApplicationPoolIdentity in which case the IIS_IUSRS role will need access to the certificate. But if you have a custom user, they will need to be granted access. Below is a list of each Application pool that needs to have access to their corresponding certificate

  • The user associated with the Sitecore CM or CD application pool will need to have access to the Sitecore xConnect client certificate
  • The user associated with the Identity Server application pool will need to have access to the Sitecore Identity cert
  • The user associated with the Commerce application pools (Authoring, Minions, Shops, Ops) will need to have access to the Sitecore Storefront certificate
  • The Local Service user will need to have access to the Sitecore xConnect client certificate (this is for the XConnect services)

Okay, so we installed the certificates and granted the trust rights. Now we actually need to set the correct thumbrints in each of the config files. We are going to go certificate by certificate to assign the correct thumbprints. 

NOTE: In order to get a thumbprint from a certificate, you just need to double click on it in the store, click on the details tab, and scroll down to thumbprint. It is a very long text of numbers and letters. Just copy that.

So here is the list of all the thumbprint settings (assuming you are on Sitecore 9.3 or above).

  1. Sitecore xConnect client
    1. [Path to your CM or CD site]\App_Config\ConnectionStrings.config
      1. sitecore.reporting.client.certificate
      2. xconnect.collection.certificate
      3. xdb.marketingautomation.operations.client.certificate
      4. xdb.marketingautomation.reporting.client.certificate
      5. xdb.referencedata.client.certificate
    2. [Path to your XConnect Site]\App_Config\AppSettings.config
      1. validateCertificateThumbprint
    3. [Path to your XConnect Site]\App_Data\jobs\continuous\AutomationEngine\App_Config\ConnectionStrings.config
      1. xconnect.collection.certificate
    4. [Path to your XConnect Site]\App_Data\jobs\continuous\ProcessingEngine\App_Config\ConnectionStrings.config
      1. xconnect.collection.certificate
      2. xconnect.configuration.certificate
      3. xconnect.search.certificate
  2. Sitecore Identity
    1. [Path to your Identity Site]\Config\production\Sitecore.IdentityServer.Host.xml
      1. CertificateThumbprint
  3. Sitecore Storefront (this is for Commerce only and you decided to create a configs node in your config.json file)
    1. [Path to your Commerce site (minions, authoring...etc]\wwwroot\config.json
      1. Thumbprint

That's it!

Hopefully this helped. This process was a literal pain in the ass for me so hopefully you do not have to endure as much pain as I did lol