Exchange trust certificates between farms (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

In Microsoft SharePoint Server 2010, a SharePoint farm can connect to and consume a service application that is published on another SharePoint Server 2010 farm. For this to occur, the farms must exchange trust certificates.

This article describes how to exchange trust certificates between the publishing farm and the consuming farm. Note that both farms must participate in this exchange for service application sharing to work.

Important

Before you start to share service applications, we highly recommend that you read the articles Share service applications across farms (SharePoint Server 2010) and Services architecture planning (SharePoint Server 2010).

You must use Windows PowerShell 2.0 commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either Windows PowerShell 2.0 commands or Central Administration to manage the trusts within the farm.

The instructions here assume the following criteria:

  • That the servers that are used for these procedures are running Windows PowerShell 2.0.

  • That the administrator will select and use the same server in each farm for all steps in the process.

  • If User Account Control (UAC) is turned on, you must run the Windows PowerShell 2.0 commands with elevated privileges.

In this article:

Exporting and copying certificates

An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm.

You can only export and copy certificates by using Windows PowerShell 2.0.

To export the root certificate from the consuming farm

  1. On a server that is running SharePoint Server 2010 on the consuming farm, verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click Administrative Tools.

  3. Click SharePoint 2010 Management Shell.

  4. At the Windows PowerShell command prompt, type each of the following commands:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte
    

    Where <C:\ConsumingFarmRoot.cer> is the path of the root certificate.

To export the STS certificate from the consuming farm

  1. At the Windows PowerShell command prompt, type the following commands:

    $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
    
    $stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte
    

    Where <C:\ConsumingFarmSTS.cer> is the path of the STS certificate.

To export the root certificate from the publishing farm

  1. On a server that is running SharePoint Server 2010 on the publishing farm, verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click Administrative Tools.

  3. Click SharePoint 2010 Management Shell.

  4. At the Windows PowerShell command prompt, type the following commands:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte
    

    Where <C:\PublishingFarmRoot.cer> is the path of the root certificate.

To copy the certificates

  1. Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.

  2. Copy the root certificate from the server in the publishing farm to a server in the consuming farm.

Managing trust certificates by using Windows Powershell

Managing trust certificates within a farm involves establishing trust. This section describes how to establish trust on both the consuming and publishing farms, using Windows PowerShell 2.0 commands.

Establishing trust on the consuming farm

To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.

To import the root certificate and create a trusted root authority on the consuming farm

  1. At the Windows PowerShell command prompt on a server in the consuming farm, type the following commands:

    $trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer>
    
    New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert
    

Where:

  • <C:\PublishingFarmRoot.cer> is the path of the root certificate that you copied to the consuming farm from the publishing farm.

  • <PublishingFarm> is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name.

Establishing trust on the publishing farm

To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer.

To import the root certificate and create a trusted root authority on the publishing farm

  1. At the Windows PowerShell command prompt on a server in the publishing farm, type the following commands:

    $trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer>
    
    New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert
    

Where:

  • <C:\ConsumingFarmRoot.cer> is the name and location of the root certificate that you copied to the publishing farm from the consuming farm.

  • <ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name.

To import the STS certificate and create a trusted service token issuer on the publishing farm

  1. At the Windows PowerShell command prompt on a server in the publishing farm, type the following commands:

    $stsCert = Get-PfxCertificate <c:\ConsumingFarmSTS.cer>
    
    New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert
    

Where:

  1. <C:\ConsumingFarmSTS.cer> is the path of the STS certificate that you copied to the publishing farm from the consuming farm.

  2. <ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name.

For more information about these Windows PowerShell 2.0 cmdlets, see the following articles:

For information about using a script to automate part of this process, see Exchange trust certificates between farms (https://go.microsoft.com/fwlink/p/?LinkId=230666).

Managing trust certificates by using Central Administration

You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm.

To establish trust by using Central Administration

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

  2. On the SharePoint Central Administration Web site, click Security.

  3. On the Security page, in the General Security section, click Manage trust.

  4. On the Trust Relationship page, on the ribbon, click New.

  5. On the Establish Trust Relationship page:

    1. Supply a name that describes the purpose of the trust relationship.

    2. Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Windows PowerShell, as described in Exporting and copying certificates.

    3. If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm, as described in Exporting and copying certificates.

    4. Click OK.

    After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking Edit. You can delete a trust by clicking it, and then clicking Delete.

See Also

Concepts

Plan authentication methods (SharePoint Server 2010)
Configure claims authentication (SharePoint Server 2010)
Configure the security token service (SharePoint Server 2010)

Other Resources

Resource Center: Security and Authentication for SharePoint Server 2010