CONTACT USBack to MinistryPlatform Site
Your Knowledge Base has moved to the new Help Center.  Check out the release notes for details. And don't forget to update your bookmarks and in-house documentation before May 28.

Configuration

it-directors
 
It is very important that a precise sequence of steps is followed when configuring a new SSL Certificate. If any of these steps are not completed, then the system does not operate correctly. Many of the newer tools ThinkMinistry is deploying rely heavily on the SSL Certificate being installed correctly. In addition, SSL Certificates should be from a reputable web host or a Certificate Authority. Short term and free SSL Certificates are not recommended and may not work with our software.
After Renewing or Installing a Certificate:

The following assumes you have already installed and tested your certificate.

  1. Ensure that IIS can access the Certificate Private Key.
  2. Ensure that the Platform's Domain/Accounts record (System Setup Section) is updated with the Thumbprint for the Certificate in the "OAuth Signing Certificate Thumbprint field.
  3. Ensure that the IIS Site hosting MinistryPlatform has been configured to use the new / updated Certificate.

All of these steps need to take place on the IIS Server that host MinistryPlatform. If your church is setup using multiple IIS servers, your exact steps will differ from this slightly.

A. Ensure IIS can access the Private Key

Step 1: Find your IIS User Account

Before we can set the permissions on the Certificate Private Key, we need to ensure we know which user IIS is using to run MinsitryPlatform. To check this Launch IIS Manager > Application Pools

Find the MinistryPlatform Application Pools. Note the User Account that the application pool is running under. For most churches, it is Network Service, but for some, it is MPApp (or something similar).

Step 2: Edit Permissions in MMC

To Launch MCC with the Certificates Snap-In, see: Manage Certificates In MMC.

Locate the Certificate used to secure your website and Right Click > All Tasks > Manage Private Keys.

If the user you discovered in Step A.1 is not listed with Full Control, add that user and ensure that Full Control is checked: 

  1. Click Add.
  2. Type the name of the User in the dialog.
  3. Click Check Names.
  4. If the Name is recognized, it's underlined.

If the Name does not resolve, you may have to use the Locations button to change where the dialog is searching for the name.

B. Edit MinistryPlatform Domain/Site record.

Step 1: Get Certificate Thumbprint

  1. In MMC, double-click the Certificate.
  2. Open the Details tab.
  3. Scroll to bottom and select Thumbprint.
  4. Select and Copy the Thumbprint.

There is an additional hidden character at the beginning of the thumbprint. Make sure you remove this character. You may need to paste the value into notepad and recopy it.

Step 2: Edit Platform Domain/Account record

Use the thumbprint you copied in the previous section:

  1. Navigate to the "System Setup" folder and open the "Domain/Accounts" page.
  2. Open your organization's Domain/Account record.
  3. Edit the "OAuth Signing Certificate Thumbprint" field with the new Thumbprint.
  4. Click on "Save".

Check for question marks at the beginning of the thumbprint due to the hidden characters. Remove these if necessary.

If you can not open the platform, you can update the database directly like so:

UPDATE dp_Domains SET OAuth_Signing_Certificate_Thumbprint = '{thumbprint}' WHERE Domain_ID = 1
Additional Steps

Check MinistryPlatform

Launch the Portal and Core Tools to ensure everything is still fully functional.

Add a Calendar Reminder About Expiration

This is not a critical step, but a recommended one. Add one or more reminders to your calendar for 14, 30 and 60 days prior to your certificate expiring reminding you that it is expiring. Don't get caught without a valid SSL Cert. Not only is it a PCI violation, but it is not fun to change a certificate under pressure.