Post
Ask Question

How to Exchange trust certificates between farms in SharePoint 2010


In this article we are going to see how to Exchange trust certificates between farms in SharePoint 2010. 

In Microsoft SharePoint server 2010 a new feature Service Applications has been introduced. In MOSS 2007 we had SSP which cannot be shared across farm levels, which has been replaced by Service Applications in Microsoft SharePoint Server 2010. A SharePoint farm can connect to and consume a service application that is published on another SharePoint Server 2010 farm. For this to occur, the farms must exchange trust certificates. You must use Windows Power Shell 2.0 commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either Windows Power Shell 2.0 commands or Central Administration to manage the trusts within the farm. Here we will be using Power Shell commands to manage the trusts within the farm. We will be using two farms  one is called publisher farm in which the service application is running and the other one is called consumer farm which will consume data from the publishing farm.

To exchange trust certificates between farms the following steps should be followed.

How to export and copy certificates:

An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm. The following steps should be performed.

Consuming Farm:

Exporting the root certificate:
  1. In the consuming farm go to Start menu.

    1.gif

  2. Go to SharePoint 2010 Management Shell and select Run as Administrator.

  3. In the command prompt, type each of the following commands.

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    $rootCert.Export("Cert") | Set-Content "C:\Users\21212\ConsumingFarmRoot.cer" -Encoding byte
Exporting the STS certificate:
  1. In the Command Prompt, type each of the following commands.

    $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
    $stsCert.Export("Cert") | Set-Content  "C:\Users\21212\ConsumingFarmSTS.cer" -Encoding byte
Consuming Farm:

Exporting the root certificate:
  1. In the Command Prompt, type each of the following commands.

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    $rootCert.Export("Cert") | Set-Content  "C:\Users\21212\PublishingFarmRoot.cer" -Encoding byte
Copying the certificates:
  1. Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm. 

  2. Copy the root certificate from the server in the publishing farm to a server in the consuming farm. 
Managing Trust Certificates:

How to establish trust on the consuming farm:
  1. To import the root certificate and create a trusted root authority on the consuming farm, type the following commands.

    $trustCert = Get-PfxCertificate  "C:\Users\21212\PublishingFarmRoot.cer"

    New-SPTrustedRootAuthority "MetadataPublishingFarm" -Certificate $trustCert
How to establish trust on the publishing farm:
  1. To import the root certificate and create a trusted root authority on the publishing farm, type the following commands.

    $trustCert = Get-PfxCertificate  "C:\Users\21212\ConsumingFarmRoot.cer"
    New-SPTrustedRootAuthority "MetadataConsumingFarm" -Certificate $trustCert

  2. To import the STS certificate and create a trusted service token issuer on the publishing farm, type the following commands.

    $stsCert = Get-PfxCertificate "C:\Users\21212\ConsumingFarmSTS.cer"

    New-SPTrustedServiceTokenIssuer  "MetadataConsumingFarm"  -Certificate $stsCert

erver'>

Similar Articles