How to manually install an SSL certficate on SBS 2008
Having fun wrestling with SBS 2008’s “Connect to the Internet” and “Add a trusted Certificate” wizards? Yeah, I thought so.
Here’s how to get around it: Treat SBS 2008’s SSL management like you would any other Exchange 2007 box, and do it all from the shell.
Note: My walk-through is based on using GoDaddy for the UCC SSL cert, but this will work with just about any other SSL cert vendor, too.
Generate your SSL cert request
- Open Exchange Management Shell as an administrator
- Type or paste the following command changing the italic text to match your environment:
New-ExchangeCertificate -GenerateRequest -Path “D:\Shares\Install\SSL Cert\mail_ExternalDomaiName_com.csr” -KeySize 1024 -SubjectName “c=US, s=Washington, l=Seattle, o=CompanyName, ou=CompanyName, cn=mail.ExternalDomaiName.com” -DomainName autodiscover.ExternalDomaiName.com, remote.ExternalDomaiName.com, ServerPrivateName, ServerPrivateName.InternalDomainName.local -PrivateKeyExportable $True
- This will cover the SBS default public host name (remote.ExternalDomainName.com), our standard public host name for mail servers (mail.ExternalDomainName.com), the Exchange AutoDiscovery host name (autodiscover.ExternalDomainName.com), the server’s NetBIOS name and the server’s local fully qualified domain name.
- Go the GoDaddy site. Purchase the cert credits. After domain ownership verification, download the cert bundle from GoDaddy and save it to the SSL certs folder where you saved the CSR. Unzip the bundle and you’re ready to import and enable the cert.
Import the SSL cert
- Open Exchange Management Shell as an administrator
- Type or paste the follow command changing the italic text to match your environment:
Import-ExchangeCertificate -Path “D:\Shares\Install\SSL Cert\mail_ExternalDomaiName_com.crt” -FriendlyName “CompanyName UCC Cert”
- Click on the icon in the upper left, then click Edit > Mark
- Highlight the Thumbprint that was displayed after Importing, then press Enter on your keyboard to copy it to the clipboard. It will be pasted over the Thumbprint in the following command
Enable the SSL cert
- Open Exchange Management Shell as an administrator
- Type or paste the follow command changing the italic text to match your environment:
Enable-ExchangeCertificate -Thumbprint 081C3BASDF998603ld110F245F3074CC3BB3BA2-Services SMTP,IIS,POP,IMAP
Confirm the cert usage
- Open Exchange Management Shell as an administrator
- Type or paste the follow command changing the italic text to match your environment:
Get-ExchangeCertificate -Thumbprint 081C3BASDF998603ld110F245F3074CC3BB3BA2
- Check to make sure “IP.WS” appears under Services. If they are not there then one of the services is not being SSL protected.
- Test Outlook Web Access, Remote Web Workplace and an Outlook 2007 client to ensure that the cert is working properly.
your instructions are interesting to me, but I’ve got initial questions – when I make a UCC/SAN does the order I enter the different domain names matter? and I get confused by whether I’m protecting Mail or IIS (or both)?
Posted by James Shimota on 24 December 2009 at 10:51 amIn my case, I bought a 3rd party cert. for sbs 2008. The server motherboard died 3 weeks later and I just rebuild the server from scratch. Now I don’t have any CSR file and the wizards don’t work to install the cert back. Fee free to answer back! Jim Shimota
Hi Jim:
When creating a UCC SSL cert, the CN (Common Name) is the only part that is visible anywhere. This one comes first. The others can be in any order.
In the scenario described above you would be using the cert to protect both mail and IIS. This is set during the Enable phase. You can set the cert to be enabled for any or all services, including IIS, IMAP, POP, SMTP and Unified Communications.
In your case it sounds like you need to start from scratch and run through this article step-by-step.
Good luck. Feel free to re-post to let us know how you’re doing with it
–Peter–
Posted by Peter Braitsch on 31 December 2009 at 6:56 pm