Google has announced that they are starting to give more weight in search result for sites protected with SSL. If you are publishing your SharePoint sites over the internet, applying SSL should become a priority now. However, security (encryption over SSL) should be considered important whether SharePoint sites are on the internet or intranet.
Securing a SharePoint site with SSL is no different than securing other websites hosted on IIS. What we need is a valid server certificate. For development or testing environment, it is OK to use self-signed certificate, or certificates generated by local Active Directory Certificate Authority. Otherwise, we have to enroll for a certificate from external certificate authority (CA) such as Comodo SSL and Go Daddy SSL.
Signing Certificate Request with Private Key
When we create a certificate enrollment to external CA, don’t forget to sign it with a private key. We already wrote an article about this here: Signing Certificate Request with Private Key. If we forget to sign our certificate request with a private key, we won’t be able to use the server certificate in IIS for securing a website.
Install Certificate on IIS
When the certificate is ready, there should be two certificate files sent by CA to you. Each CA has different instruction on how to install those files. We enrolled the certificate from Go Daddy, so we followed their KB on how to install certificate to IIS 8 here: Installing an SSL Certificate in Microsoft IIS 8.
Create Alternate Access Mapping for Secured Site
When we are done with installation of server certificate on IIS, we should configure SharePoint to use it. Our SharePoint previously uses port 80, so to be able to use SSL (port 443), we have to create an alternate access mapping from SharePoint Central Administration:
Note: don’t forget to add an entry in DNS if you use FQDN for the new alternate access mapping URL.
Redirect HTTP Access to HTTPS
If you plan to allow only HTTPS connection, then you have to redirect all HTTP access to HTTPS. You can do this from IIS Redirection feature: