Issue:
You want to get rid of the self-certified certificates that come with SBS 2008 and use commercial SSL ones that have a trusted root.
Process:
1. You buy a SSL certificate (or renew an existing one on the vendor web site). This sale usually has nothing to do with the actual technical part of doing this process. This usually increments from 0 to 1 the available certificates to generate in some management console on the vendor web site. What you have bought is ability to add a "browser lock" for a certain term/number of years.
2. You generate a Certificate Signing Request (CSR) on your server. This creates a text file in a certain format.
3. You then paste the contents of the text file (or alternately upload the text file) on a SSL vendor's web site and use up that 1 new CSR you just bought/renewed. This typically creates a file called a ZIP (compressed) file containing your "keyring" files of your SSL certificate.
5. You install your keyring files and any parent certificates (often needed) into your server.
6. You test your software.
Notes:
This technical notes is going to cover our notes for the server part for SBS 2008 server.
SBS requires a multiple name certificate rather than a single named SSL certificate.
You typically need a 3 name one:
www.mydomain.com
remote.mydomain.com
autodiscover.mydomain.com
(Another reason why Domino is cheaper in the long run - You only need a single name for all services.)
When doing your CSR, your state name is spelled out like "North Carolina", not "NC".
A. Generate the CSR:
1. Run the Add a Trusted Certificate wizard to generate a Certificate Signing Request (CSR). This request is then typically pasted or uploaded into the SSL vendor's web site.
Start the Windows SBS Console --> Network tab --> Connectivity tab --> Add a Trusted Certificate task under connectivity.
2. Click Next on the starting screen. Choose option: I want to buy a certificate from a certificate provider. Click Next.
Note: If renewing with the same SSL vendor as last time, select the option: I want to renew my current trusted certificate with the same provider instead.
3. Verify your certificate information is correct for your domain and location information.
For example for Mindwatering it may be:
Mindwatering Inc
www.mindwatering.com
Wake Forest
North Carolina
Click Next.
4. On the next screen is your request in the little window in the middle. Click the Copy button to copy the request to your "clipboard" so you can paste in the SSL vendor's web site. Before you click Next, also click the Save to file option and save it, too. You do this so you don't have to issue a new request if the copy didn't work. You can simply just open up the file and copy and paste from there.
5. Since we obviously don't have the certs back from the SSL vendor, Close the dialog.
CRITICAL:
No not go back and next as that will generate another request with different unique "encoded string". If you do by accident, and you already submitted to your vendor the request, you just invalidated it. The file you download won't work and you'll have to start over on the vendor web site. (Hopefully your vendor is a nice one and allows multiples of these CSR requests for the term you bought.)
If you accidentally did this, the best thing to do is close the wizard, remove the request(s) submitted. and start over.
6. If you have the SSL vendor's site up in your web browser, then paste the encoded string into their request page. (This is slightly differently done with each vendor, but the tasks are basically the same.) If not, it's time to get the vendor's page up and submit the request on their management site.
7. Typically the SSL vendor will customize the download file for your type of server. Choose the Microsoft IIS option.
B. Install the SSL Certs w/in the ZIP file:
1. Submitting the request on the SSL vendor's web site, produces the ability to download a collection of files within a ZIP file. Alternately, they might be e-mailed to you. So, download or save the ZIP file and note where you parked (saved the file on your current machine).
2. Right click and extract the ZIP files contents. The default is into a new folder in the current one.
3. Most likely you need to install updated intermediary certificates. Follow these instructions to install them:
- Select Run from the start menu. In the box, type mmc and click <enter> to start the Microsoft Management Console (MMC).
- If prompted, click Agree to the UAC prompt.
- In the MMC, select File --> Add/Remove Snap In.
- In the Add Standalone Snap-in dialog, choose Certificates. click Add.
- Choose Computer Account. Click Next. Click Finish.
- Close the Add Standalone Snap-in dialog. Click OK on the Add/Remove Snap-in dialog.
- Back at the main MMC window now displaying the Computer account, expand ( + icon) the Certificates folder, to view the Intermediate Certification Authorities folder.
- Right-click the Intermediate Certification Authorities folder. Choose All Tasks. Click Import.
- Follow the wizard prompts to complete the installation of the intermediate certificates. When time to navigate to the file, click the Browse button and locate the extracted ZIP folder.
Note: You likely will have to change the certificate file type filter at the bottom right to see your intermediate certs.
- Choose Place all certificates in the following store and Browse to locate Intermediate Certification Authorities. Click Next when finally done placing the certs in the correct hierarchy.
- Click Finish.
4. Back in the SBS console (see step 1 in part A above), re-launch the Add a Trusted Certificate wizard.
5. Click Next on the starting screen. This time choose the option: I have a certificate from my certificate provider. Click Next.
6. Click Browse to browse to the certificate files (not the intermediate ones) and select the domain you bought.
(For this example, www.mindwatering.com.)
7. Back in the wizard, click Next.
8. Click Finished.
9. Now we have to tell the appropriate web site(s), to use the new cert installed rather than the old one. Get out the Add a Trusted Certificate wizard one last time.
5. Click Next on the starting screen. This time choose the option: I want to replace the existing certificate with a new one. Click Next.
C. Test access in OWA (Outlook Web Access), Terminal Services, and RWW (Remote Web Workplace).
previous page
|