You probably installed already Sitecore 9 on your environments following different blogs with necessary clarifications.
But, might happen that you already have a SSL certificate for your environments.
The affected places are:
One of the places where SSL it’s needed its on the SolR instance. So by following the instructions from Jeremy Davis on this blog post I’ve adjusted his script in order to use an already existing certificate, where I’ve introduced a new variable
$solrNameSSL = "MySSLFriendlyName"
And then used this new variable $solrNameSSL in all places that have references to SSL instead of $solrName and adjusted the place where the code is searching for the certificate Cert:\Localmachine\My not only Cert:\Localmachine\Root.
The result script is here, but please do not forget to adjust necessary variables :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Param( | |
| $solrVersion = "6.6.2", | |
| $installFolder = "d:\solr", | |
| $solrPort = "8983", | |
| $solrHost = "solr", | |
| $solrSSL = $true, | |
| $nssmVersion = "2.24", | |
| $JREVersion = "1.8.0_151" | |
| ) | |
| $JREPath = "C:\Program Files\Java\jre$JREVersion" | |
| $solrName = "solr-$solrVersion" | |
| $solrNameSSL = "solr" | |
| $solrRoot = "$installFolder\$solrName" | |
| $nssmRoot = "$installFolder\nssm-$nssmVersion" | |
| $solrPackage = "https://archive.apache.org/dist/lucene/solr/$solrVersion/$solrName.zip" | |
| $nssmPackage = "https://nssm.cc/release/nssm-$nssmVersion.zip" | |
| $downloadFolder = "~\Downloads" | |
| ## Verify elevated | |
| ## https://superuser.com/questions/749243/detect-if-powershell-is-running-as-administrator | |
| $elevated = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") | |
| if($elevated -eq $false) | |
| { | |
| throw "In order to install services, please run this script elevated." | |
| } | |
| function downloadAndUnzipIfRequired | |
| { | |
| Param( | |
| [string]$toolName, | |
| [string]$toolFolder, | |
| [string]$toolZip, | |
| [string]$toolSourceFile, | |
| [string]$installRoot | |
| ) | |
| if(!(Test-Path –Path $toolFolder)) | |
| { | |
| if(!(Test-Path –Path $toolZip)) | |
| { | |
| Write-Host "Downloading $toolName…" | |
| Start-BitsTransfer –Source $toolSourceFile –Destination $toolZip | |
| } | |
| Write-Host "Extracting $toolName to $toolFolder…" | |
| Expand-Archive $toolZip –DestinationPath $installRoot | |
| } | |
| } | |
| # download & extract the solr archive to the right folder | |
| $solrZip = "$downloadFolder\$solrName.zip" | |
| downloadAndUnzipIfRequired "Solr" $solrRoot $solrZip $solrPackage $installFolder | |
| # download & extract the nssm archive to the right folder | |
| $nssmZip = "$downloadFolder\nssm-$nssmVersion.zip" | |
| downloadAndUnzipIfRequired "NSSM" $nssmRoot $nssmZip $nssmPackage $installFolder | |
| # Ensure Java environment variable | |
| $jreVal = [Environment]::GetEnvironmentVariable("JAVA_HOME", [EnvironmentVariableTarget]::Machine) | |
| if($jreVal -ne $JREPath) | |
| { | |
| Write-Host "Setting JAVA_HOME environment variable" | |
| [Environment]::SetEnvironmentVariable("JAVA_HOME", $JREPath, [EnvironmentVariableTarget]::Machine) | |
| } | |
| # if we're using HTTP | |
| if($solrSSL -eq $false) | |
| { | |
| # Update solr cfg to use right host name | |
| if(!(Test-Path –Path "$solrRoot\bin\solr.in.cmd.old")) | |
| { | |
| Write-Host "Rewriting solr config" | |
| $cfg = Get-Content "$solrRoot\bin\solr.in.cmd" | |
| Rename-Item "$solrRoot\bin\solr.in.cmd" "$solrRoot\bin\solr.in.cmd.old" | |
| $newCfg = $newCfg | % { $_ -replace "REM set SOLR_HOST=192.168.1.1", "set SOLR_HOST=$solrHost" } | |
| $newCfg | Set-Content "$solrRoot\bin\solr.in.cmd" | |
| } | |
| } | |
| # Ensure the solr host name is in your hosts file | |
| if($solrHost -ne "localhost") | |
| { | |
| $hostFileName = "c:\\windows\system32\drivers\etc\hosts" | |
| $hostFile = [System.Io.File]::ReadAllText($hostFileName) | |
| if(!($hostFile -like "*$solrHost*")) | |
| { | |
| Write-Host "Updating host file" | |
| "`r`n127.0.0.1`t$solrHost" | Add-Content $hostFileName | |
| } | |
| } | |
| # if we're using HTTPS | |
| if($solrSSL -eq $true) | |
| { | |
| $existingCertMy = Get-ChildItem Cert:\LocalMachine\My | where FriendlyName -eq "$solrNameSSL" | |
| $existingCertRoot = Get-ChildItem Cert:\LocalMachine\Root | where FriendlyName -eq "$solrNameSSL" | |
| if(!($existingCertMy) -And !($existingCertRoot)) | |
| { | |
| # Generate SSL cert if does not exist | |
| Write-Host "Creating & trusting an new SSL Cert for $solrHost" | |
| # Generate a cert | |
| # https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps | |
| $cert = New-SelfSignedCertificate –FriendlyName "$solrNameSSL" –DnsName "$solrHost" –CertStoreLocation "cert:\LocalMachine" –NotAfter (Get-Date).AddYears(10) | |
| # Trust the cert | |
| # https://stackoverflow.com/questions/8815145/how-to-trust-a-certificate-in-windows-powershell | |
| $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root","LocalMachine" | |
| $store.Open("ReadWrite") | |
| $store.Add($cert) | |
| $store.Close() | |
| # remove the untrusted copy of the cert | |
| $cert | Remove-Item | |
| } | |
| # export the cert to pfx using solr's default password | |
| if(!(Test-Path –Path "$solrRoot\server\etc\solr-ssl.keystore.pfx")) | |
| { | |
| Write-Host "Exporting cert for Solr to use" | |
| $certRoot = Get-ChildItem Cert:\LocalMachine\Root | where FriendlyName -eq "$solrNameSSL" | |
| $certMy = Get-ChildItem Cert:\LocalMachine\My | where FriendlyName -eq "$solrNameSSL" | |
| $certStore = "$solrRoot\server\etc\solr-ssl.keystore.pfx" | |
| $certPwd = ConvertTo-SecureString –String "secret" –Force –AsPlainText | |
| if(($certMy)){ | |
| $certMy | Export-PfxCertificate –FilePath $certStore –Password $certpwd | Out-Null | |
| }else | |
| { | |
| if(($certRoot)){ | |
| $certRoot | Export-PfxCertificate –FilePath $certStore –Password $certpwd | Out-Null | |
| } | |
| } | |
| } | |
| # Update solr cfg to use keystore & right host name | |
| if(!(Test-Path –Path "$solrRoot\bin\solr.in.cmd.old")) | |
| { | |
| Write-Host "Rewriting solr config" | |
| $cfg = Get-Content "$solrRoot\bin\solr.in.cmd" | |
| Rename-Item "$solrRoot\bin\solr.in.cmd" "$solrRoot\bin\solr.in.cmd.old" | |
| $newCfg = $cfg | % { $_ -replace "REM set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks", "set SOLR_SSL_KEY_STORE=$certStore" } | |
| $newCfg = $newCfg | % { $_ -replace "REM set SOLR_SSL_KEY_STORE_PASSWORD=secret", "set SOLR_SSL_KEY_STORE_PASSWORD=secret" } | |
| $newCfg = $newCfg | % { $_ -replace "REM set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks", "set SOLR_SSL_TRUST_STORE=$certStore" } | |
| $newCfg = $newCfg | % { $_ -replace "REM set SOLR_SSL_TRUST_STORE_PASSWORD=secret", "set SOLR_SSL_TRUST_STORE_PASSWORD=secret" } | |
| $newCfg = $newCfg | % { $_ -replace "REM set SOLR_HOST=192.168.1.1", "set SOLR_HOST=$solrHost" } | |
| $newCfg | Set-Content "$solrRoot\bin\solr.in.cmd" | |
| } | |
| } | |
| # install the service & runs | |
| $svc = Get-Service "$solrName" –ErrorAction SilentlyContinue | |
| if(!($svc)) | |
| { | |
| Write-Host "Installing Solr service" | |
| &"$installFolder\nssm-$nssmVersion\win64\nssm.exe" install "$solrName" "$solrRoot\bin\solr.cmd" "-f" "-p $solrPort" | |
| $svc = Get-Service "$solrName" –ErrorAction SilentlyContinue | |
| } | |
| if($svc.Status -ne "Running") | |
| { | |
| Write-Host "Starting Solr service" | |
| Start-Service "$solrName" | |
| } | |
| # finally prove it's all working | |
| $protocol = "http" | |
| if($solrSSL -eq $true) | |
| { | |
| $protocol = "https" | |
| } | |
| Invoke-Expression "start $($protocol)://$($solrHost):$solrPort/solr/#/" |
In the installation script of Sitecore 9 itself, some changes are required in order to use the already installed certificate.
One of the standard steps is to install a client certificate for xconnect, and that one has to be removed or at least commented out. This step usually looks like this:
One of the standard steps is to install a client certificate for xconnect, and that one has to be removed or at least commented out. This step usually looks like this:
#install client certificate for xconnect
$certParams = @{
Path = "$PSScriptRoot\xconnect-createcert.json"
CertificateName = "$prefix.xconnect_client"
}
Install-SitecoreConfiguration @certParams -Verbose
I recommend to comment out only this line
Install-SitecoreConfiguration @certParams -Verbose
and in the variable CertificateName that is defined above to put your certificate friendly name or the certificate thumbprint.
This will cover the client authentication certificate and next will be to make necessary changes for the server authentication certificate. The parameter that is called SSLCert has to be added in script part that deploys the xconnect instance, as follows:
#deploy xconnect instance
$xconnectParams = @{
Path = "$PSScriptRoot\xconnect-xp0.json"
Package = "$PSScriptRoot\Sitecore 9.0.0 rev. 171002
(OnPrem)_xp0xconnect.scwdp.zip"
LicenseFile = "$PSScriptRoot\license.xml"
Sitename = $XConnectCollectionService
XConnectCert = $certParams.CertificateName
SSLCert = $certParams.CertificateName
SqlDbPrefix = $prefix
SqlServer = $SqlServer
SqlAdminUser = $SqlAdminUser
SqlAdminPassword = $SqlAdminPassword
SolrCorePrefix = $prefix
SolrURL = $SolrUrl
}
Install-SitecoreConfiguration @xconnectParams
That is needed because if is not provided a certificate will be generated automatically to be used use for the HTTPS web bindings of the xconnect website.
In the Oficial Installation guide in chapter 4.1 and chapter 8.1.1 there is more information about SSL requirements and where and how it’s used.
XtremDev - Sebastian Tecsi | Sitecore Blog 
One reply on “How to install Sitecore 9 with existing SSL certificate”
[…] Fabian is presenting are not needed as you should use this article for installing your solution Sitecore 9 installation with existing SSL that I’ve wrote last […]
LikeLike