Friday, January 14, 2011

Will your FAST Search Server for SharePoint work in a year?

That depends on what you are doing with your certificates. If you followed the installation instructions you are most likely using a self-signed certificate created during installation which is only valid for a year.
Fast forward one year from your installation date, and your users will start complaining for sure.

Your options are either to purchase a certificate from a certificate authority which have longer expirations, or create a self signed with an expiration date more than one year into the future. (If you are relying on https communication in your FS4SP environment you need to purchase a certificate, as self signed won’t work and you don’t have to read on.)

If you don’t want to fork out the money for a commercial certificate and want to forget about renewal, then here’s what you need to do.

Note: Only works on 2008R2, not 2008.

Open up C:\FASTSearch\installer\scripts\include\certificatesetup.ps1 and scroll down to line number 246 which reads:
Add-Content -Path $infFile -Value "SuppressDefaults=true"

Append the following lines underneath it:
Add-Content -Path $infFile -Value "ValidityPeriod=Years" 
Add-Content -Path $infFile -Value "ValidityPeriodUnits=100"

and save the file.

Then recreate your certificate with

replacedefaultcertificate.ps1 as explained at TechNet. And remember to import it on your SharePoint 2010 server as well.

If you apply this edit during installation of FAST for SharePoint you save yourself a step and possibly some sleep. Do the edit after the .exe install, and before you run the configuration wizard.



  1. ashu6976AtHotmailAugust 5, 2011 at 1:11 AM

    Amazing stuff!!!
    thanks Mikael.

  2. What do you do if you want to use a DOMAIN based certificate from your AD CA? For some reason I'm not seeing this a whole lot of places. Do you just use the SSL cert for the various SP/FAST servers? Do they automatically recognize each other? Do you need to create a different type of certificate?

  3. Anonymous: You're in luck.. sort of. Added that for my upcoming FS4SP book 5 minutes ago with some help from a friend. So you will have to wait until it's available from Amazon

  4. Hi mikael,

    In Fast Search while crawling its taking two much and not stopping and finally am getting the warning as

    "Failed to connect to Failed to initialize session with document engine: Unable to resolve Contentdistributor"

    "This item comprises multiple parts and/or may have attachments. Not all of these parts were indexed. They may either be invalid or deliberately skipped (e.g. images). The remote server may also have been unresponsive while indexing these parts. ( The filtering process could not load the item. This is possibly caused by an unrecognized item format or item corruption. 0x40d30 )"

    Please help.

    1. Hi,
      This question is more suited for the FS4SP forums, and not this blog post, as it's a bit unrelated :)

      "taking too much" means what? Could it be that you are indexing too fast compared to what the FAST server(s) can handle... causing items to back up and being queued?

  5. Sorry i missed the word...its taking too much time to crawl and after refreshing several times also the status was "Crawling full" and finally getting those errors...

    Ofcourse the question is the right one for forum...but stuck with the error thats why i thought of getting your help...


    1. Hi,
      I would start to perf mon the servers. If the fs4sp server(s) are maxing on cpu/disk io, then add crawler impact rules to slow down crawling...or add more IO power to handle the load.

      Not 100% sure, but seems the errors might be load related and causing timeouts.

      If you re-crawl of of the failed items alone when there is little load.. does it work then?


  6. Hello, I’m trying to extend the life of the self-signed certificates on the FS4SP Servers. The .\replacedefaultcertificate.ps1 –generateNewCertificate $true executed without problems
    on the admin node and I can see the certificate in the certificate store (Personal and Trusted Root Certification Authority ) with the new expiration date.

    However, I get error message(s) when I run the script on my first non-admin node. The last lines of the error message indicate that a new certificate was installed, but the certificate store does not show any FASTSearchCert :

    PS E:\FASTSearch\installer\scripts> .\replacedefaultcertificate.ps1 –generateNewCertificate $true

    Enter the password for the certificate you generated on the adminserver: ************

    At E:\FASTSearch\installer\scrips\include\certificatesharedfunctions.ps1:131 char:13
    + throw <<<< “Error trying to import certificate”
    + CategoryInfo :OperationStopped: (Error trying to import certificate:String)
    [] , RuntimeException
    + FullyQualifiedErrorId : Error trying to import certificate

    Error tyring to get thumbprint id from certificate in certificate store by name.
    At E:\FASTSearch\installer\scrips\include\certificatesharedfunctions.ps1:303 char:13
    + throw <<<< “Error tyring to get thumbprint id from certificate in certificate store by name.”
    + CategoryInfo : OperationStopped: (Error trying to … store by name. : String) [],
    + FullyQualifiedErrorId : Error trying to get thumbprint id from certificate in certificate store by name.

    Installed new certificate.
    Reconfigured Microsoft FAST Seacrch Server 2010 for SharePoint.

    PS E:\FASTSearch\installer\scripts>

    I am following instructions on page 332 of your book Working with Microsoft FAST Search Server 2010 for SharePoint (see first page of attached file). And the article: --> from the section “Replace the self-signed certificate with a new self-signed certificate”

    My servers are Windows 2008 Enterprise R2 with SP1. It is a multi-node installation of FS4SP.

    Hope you can assist, Sue

    1. Hi,
      Did you try to install it with the same user you used when you installed it the first time? And you have to make sure you can access the admin node by file share, as it uses this to copy the cert over to the non-admin nodes (if I remember correctly). Been a while since I did this the last time.