SSL Certificates For Your Sitecore Instance

This blog will provide a very practical solution on how to generate a secure SSL certificate for a Sitecore instance – using Sitecore cert or ZeroSSL. 

• Creating a local SSL certificate

I have come across a few scripts online that promise they will create a local certificate for a Sitecore site, but the one that really worked for me in an easy and reliable way is using Sitecore’s createcert.json. This is included in the Sitecore installation files since version 9.

In the PowerShell console (in my case “Sitecore xp 9.2” is a folder where I placed all the Sitecore files after unzipping the XP0 Configuration files [your version].zip – using 9.2 as an example):

scinst C:\Yourpatthto\createcert.json -CertificateName my.new.sitename

You would need to note the location and the password for the new certificate you created:

Double-click the certificate to install it. Make sure that you select Local Machine as a certificate store.

You will need the password you got in PowerShell during the generation of the certificate to import it successfully.

Add it to the HTTPS binding of your site and hopefully, it should be working!

• Using ZeroSSL certificate

We recently used a ZeroSSL certificate on an Azure distributed environment which needed to be accessible from external devices, so it might be that you will find it handy in a similar situation.

As of now, you can get 3 free 90-Day SSL certificates using ZeroSSL. After you click through their wizard and confirm the domain ownership, you get the zip file with content like this inside:

We need OpenSSL to generate the .pfx certificate now. With a Windows server, the easiest way to do it is to use Git for Windows folder if you already have it there – or install it temporarily.

The openssl.exe should be in your C:\Program Files\Git\usr\bin\ folder.

 Copy the files you got from ZeroSSL there and run it like this in cmd from that folder:

openssl pkcs12 -export -out mygreatsite.example.com.pfx -inkey private.key -in ca_bundle.crt -in certificate.crt 

(note that the order of arguments matters here)

Your certificate will be generated in the same folder, and in this case, you can choose your own password. Same as with a local certificate, install by double clicking, make sure it goes to the local machine store and select an IIS binding. 

As a final note, I found this post helpful in you need to attach your new ZeroSSL certificate to solr instead of installing it to your machine’s certificate store.