Service Provider Framework – Import a Certificate prior executing setup.exe

Hi there! This is Thomas Roettinger with the first blog  post this year on Microsoft Service Provider Framework (SPF). Happy new year to all of you from the team.

What is SPF?

Service Provider Foundation is provided with System Center 2012 - Orchestrator, a component of System Center 2012 Service Pack 1 (SP1). Service Provider Foundation exposes an extensible OData web service that interacts with Virtual Machine Manager (VMM). This enables service providers and hosters to design and implement multi-tenant self-service portals that integrate IaaS capabilities available System Center 2012 SP1.



We found a missing step in our documentation that needs to be updated.

A certificate must be imported before you start the installation of SPF otherwise the installation can’t continue. The setup routine does not create its own certificate to enable https instead you need to select your own certificate.

As you can see in this screenshot the “Next” button is greyed out because the setup process requires you to select a certificate store and name.


Possible Solutions:

1. Go and buy a certificate to be used for SPF and import prior installation

2. If you have an AD Certificate infrastructure create and import a certificate prior installation

3. Use makecert.exe to create a self-signed certificate and import prior installation (ONLY for Test)

Installing SPF with a Self-Signed Certificate for testing

As mentioned above using a self-signed certificate is only for testing purposes and should never be used in a production environment

1. Copy the makecert.exe utility locally to your SPF Server

2. Run the following elevated command to Create a self-signed root authority certificate

makecert -pe -n "CN=TestRootCA" -ss personal -sr LocalMachine -sky signature -r "TestRootCA.cer"

The command installs a test certificate in the personal store of the local machine and is saved as a file locally

3. Run the following elevated command to create a new certificate signed by the test root authority certificate. The FQDN must match your SPF Server.

makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku, -in "TestRootCA" -is personal -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 SPFTestCert.cer

4. Now you are able to select your self-signed certificate during the SPF setup process.

Additional Information:

The SPF documentation can be found here and should be updated soon:

Makecert Utility

This utility is part of Visual Studio see here

I hope you find this blog post useful and check by soon and keep watching this space for more posts on Windows Server 2012 & System Center topics

Thomas Roettinger

Program Manager (PACE)

Server and Cloud Division

Comments (0)

Skip to main content