Renew your SSL Certificate : SBS 2011 Essentials

sbse-conIt has been a year since i first went through the process of installing a Third Party SSL certificate onto my SBS Essentials server.

I going through the renewal process, so i thought it might be an idea to document and blog it in case anyone else is also doing this.

SSL Certificates and renewals, are one of the topics i am asked about most frequently. They do seem to cause a lot of concern and, because the task is carried out rarely, people do seem to get rusty.

  1. First thing to remember, is that it really is not a difficult process.
  2. Second, it is easy to fix any mistakes you make, so don’t worry about it.
  3. Third, the only thing you need to remember, is don’t make a mistake when you spell the Common Name (CN) as that can be difficult to fix.

The first thing that i did was receive an email from my SSL provider, telling me my certificate was due for renewal. I ignored this, and then received another today telling me it had been auto-renewed and thanks very much for the $20.00 i just spent. (imagine me making  a Muttley type noise here)

To go ahead and renew your SSL we need to first produce a CSR request file, and submit it to our CA.

CSR = Certificate Signing Request (a text file)

CA = Certificate Authority (Verisign, GoDaddy, RapidSSL)

We can create the CSR on any server, but with the introduction of IIS7 it became a lot easier to do the process on the same server that already holds your certificate. In IIS6 we would generally create a dummy website to do the CSR request and install process.

On our SBS Server, open up IIS Manager.

1

Select your Server Name, and then find Server Certificates.

2

Inside Server Certificates you will see all of the currently installed certificates you have.

In the top right you can click to Create Certificate Request.

2a

Fill out the information requested, taking care to get the Common Name correct.

4

On the next page change the Bit Length to 2048.

5

Then browse to a path on the server to save your request file.

6

When you have saved your Request file, you are returned back to the IIS Manager.

The content of your CSR will look similar to this.

7

Next we need to submit our CSR to the CA.

8

The process will vary from CA to CA, however i am using Enom which is where i purchased my certificate.

Copy and paste the content of your CSR EXACTLY as is, some CA’s may simply allow you to browse for the file and read it in for you.

When you submit the file, you should be prompted to confirm the Common Name and any other details.

An email or other authentication method is also used to verify ownership of the domain in question. You often do not have a choice over the email address which will be chosen.

When you receive the email, you have the choice to approve or reject the request.

9

10

Other methods exist for verification, when i purchased a certificate from GeoTrust once i have a phone call that recorded my voice, with some CA’s i have had to create DNS records or add HTML files to a website.

All of these steps go some way to prove you are indeed in control over the domain you want to secure with SSL.

After you have passed verification you will be sent further instructions from your CA about how to retrieve your certificate.

At this point the file, or key, the CA sends you is only one half of the certificate, and you need to complete the process in IIS to actually create the certificate before it can be used.

In my case i am sent an email containing the response text which i copy and paste into Notepad, and save.

11

12

Switching back to IIS, i can chose to Complete Certificate Request.

2b

I can browse to my file, and select it, and enter a friendly name so i can find it easily in the list of other certificates.

15

Your certificate should then be installed into IIS. Now we can assign it to our website.

16

Expand sites, and expand Default Web Site.

Select the Default Web Site, and on the right hand side, chose Bindings.

17

17a

In Bindings, select the listed item with the port number of 443, then click Edit. You can click View, to see the current certificate, or use the drop down menu to find another certificate.

18

You should see your ‘friendly name’ listed, select it. You can then chose to View the certificate if you want, or just click ok to bind it to the website.

19

You can then switch to an external client and verify the new SSL shows when you connect.

21

If you are using Microsoft’s free ‘remotewebaccess.com’ domain you will not need to renew your certificate as this comes with a free 5 year certificate from GoDaddy.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

5 Responses to Renew your SSL Certificate : SBS 2011 Essentials

  1. Gregory Baker says:

    If you do this manually through IIS, your RD gateway will still be using the old certificate, will it not? Shame there is no wizard like the one in full SBS.

  2. Matt Sl says:

    I followed your instructions, it worked great. I did get an error about the RD Gateway, but a repair from the alerts page fixed it.

  3. Thanks for these great instructions. I switched an SBS 2011 Std server from an expired self-signed to a trusted CA cert using these instructions and it worked perfectly for RDP access. I didn’t get the error about the RD gateway that the other two gents mention, so I’m guessing you’ve already updated this?

    Question: My CA provided me with intermediate and root ca’s as well. I haven’t installed them anywhere and things seem to work just fine. Should I install either of these?

    • I don’t really bother with the intermediates, and have not hit issues. You will usually run into issues at the time of installation if you are going to.

      Having said that, I don’t think it will hurt to install the intermediates.

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 414 other followers

%d bloggers like this: