SSL Certificates Configuration

Important: You must follow a precise sequence of steps when you configure a new SSL Certificate. If you don't complete any of these steps, then the system does not operate correctly. Many of the newer tools we deploy rely heavily on the SSL Certificate being installed correctly. In addition, you should use SSL Certificates from a reputable web host or a Certificate Authority. We do not recommend short-term and free SSL Certificates, and they may not work with our software.

After You Renew or Install a Certificate

The following assumes you already installed and tested your certificate.

Ensure that IIS can access the Certificate Private Key.
Ensure that you update the Platform Domain or Accounts record (System Setup Section) with the Thumbprint for the Certificate in the OAuth Signing Certificate Thumbprint field.
Ensure that you configured the IIS Site hosting MinistryPlatform to use the new or updated Certificate.

All of these steps must take place on the IIS Server that hosts MinistryPlatform. If your church is set up using multiple IIS servers, your exact steps may differ from this slightly.

Find your IIS User Account

Ensure IIS can access the Private Key. Before we can set the permissions on the Certificate Private Key, ensure we know which user IIS uses to run MinistryPlatform.

Launch IIS Manager > Application Pools.
Find the MinistryPlatform Application Pools.

Note: Note the User Account that the application pool runs under. For most churches, it is Network Service, but for some, it is MPApp (or something similar).

Edit Permissions in MMC

To launch MCC with the Certificates Snap-In, see Manage Certificates in MMC.

Locate the Certificate used to secure your website.
Right click and go to All Tasks > Manage Private Keys.

Ensure Add User and Full Control

If the user is not listed with Full Control, add that user and ensure that you select Full Control.

Click Add.
Type the name of the User in the dialog.
Click Check Names.
Recognized Names are underlined.

Note: If the Name does not resolve, use the Locations button to change where the dialog searches for the name.

Get Certificate Thumbprint

Edit the MinistryPlatform Domain or Site record.

In MMC, double-click the Certificate.
Open the Details tab.
Scroll to the bottom and select Thumbprint.
Select and copy the Thumbprint. There is an additional hidden character at the beginning of the thumbprint. Remove this character. You may need to paste the value into a notepad and recopy it.

Edit Platform Domain or Account Record

Use the thumbprint you copied previously.

Go to System Setup > Domains/Accounts.
Open your organization's Domain/Account record.
Edit the OAuth Signing Certificate Thumbprint field with the new Thumbprint.

Note: Check for question marks at the beginning of the thumbprint due to the hidden characters. Remove these if necessary.
Click Save.
Check for question marks at the beginning of the thumbprint due to the hidden characters. Remove if necessary.

If you cannot open the Platform, you can update the database directly:

UPDATE dp_Domains SET OAuth_Signing_Certificate_Thumbprint = '{thumbprint}' WHERE Domain_ID = 1

Additional Steps

Check MinistryPlatform

Launch the Portal and Core Tools to ensure everything is still fully functional.

Add a Calendar Reminder About Expiration

This is not a critical step, but we recommend you do it. Add one or more reminders to your calendar for 14, 30, and 60 days before your SSL Certification expires to remind you that it will expire soon. Don't get caught without a valid SSL Certification. Not only is it a PCI violation, but it is not fun to change a certificate under pressure.

If your SSL Certificate is expiring soon or has expired, you'll see a reminder on your Customer Portal Dashboard.

What would you like to know more about?