The Windows Server Essentials and Small Business Server Blog

11

How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003

SBS Bloggers 21 Aug 2007 6:00 AM

[Today's post comes to us courtesy of James Frederickson, Damian Leibaschoff, and Justin Crosby]

Today we will discuss one method for installing a public certificate on your SBS 2003 Server. This post describes how to request and install the certificate into IIS. A future post will cover scenarios with ISA. Since there can be some delay with third party certificate authorities issuing your new certificate and you should not run OWA, RWW, etc without SSL, we suggest that you create a temporary web site for the certificate request as demonstrated below. Since we are using a temporary site we will not be using the CEICW for this process.

Create a temporary site under web sites for your certificate request

1. Select the Internet Information Service console within the Administrative Tools menu.2. Select the Web Sites.3. Right mouse-click and select New Web Site. 4. For the Web Site Description choose the site name you are going to use for your Certificate Signing Request (CSR)

i.e. mail.contoso.com

The official blog for Windows Server Essentials and Small Business Server support and product group communications.

All About Windows Server

System Center Virtualization VDI & Remote Desktop Services

File & Storage & High Availability

Management Identity & Access Other Windows Server Technology

The Windows Server Essentials and Small Business Server Blog

Page 1 of 13How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003 - The Windows Ser...

11/21/2012http://blogs.technet.com/b/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-c...

5. Select a Host Header value for this Web site that does not conflict with existing sites.

6. Choose a path of C:\Inetpub\wwwroot with read permissions.

7. Finish

Create a Certificate Signing Request (CSR)

1. Select the Internet Information Service console within the Administrative Tools menu. 2. Select the new temporary Web site (host) for which the CSR will be requested from. 3. Right mouse-click and select Properties.



4. Select the Directory Security tab.

5. Select the Server Certificate option. 6. The Welcome to the Web Server Certificate Wizard windows opens. 7. Select Create a new certificate.

8. Select Prepare the request now, but send it later.



9. On the Name and Security Settings page select the CSR name i.e. mail.contoso.com.

10. Enter your Organization and Organizational Unit names.

11. Enter your CSR name



12. Enter your geographical information.

13. Write down the File name and path to your certreq.txt

14. Verify on the Request File Summary page everything is correct.

15. Click Finish.

Entering CSR data to request your Certificate

1. Log into your account from where you are going to purchase your Certificate and Enter the CSR Data to create a Certificate request.



2. Not all certificate vendors require an intermediate p7b certificate, be sure to check with your vendor before you start this process to be sure.

3. They will send you an e-mail message that allows you to download the signed certificate and their intermediate certificate bundle. Once your SSL certificate has been signed and issued the “gd_iis_intermediates.p7b” (nor all Certificate vendors require a p7b) and “mail.contoso.com.crt” both of which must be installed on your Server.

Installing SSL Certificate and the Intermediate Certificate Bundle (Optional)

Some Certificate Authorities require that you install an Intermediate certificate on your server. If your CA does not require this please continue onto the next section (Installing the SSL Certificate into IIS). If your CA does require an Intermediate certificate you must download and install this CA's intermediate certificate bundle (gd_iis_intermediates.p7b) on your Web server before installing your certificate.

Once you have downloaded and saved the certificate bundle, please follow the instructions below to install it:

1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).2. In the Management Console, select File; then "Add/Remove Snap In."3. In the Add/Remove Snap-In dialog, select Add.4. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.



5. Choose Computer Account; then click Next and Finish.

6. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.

7. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.

8. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import. Follow the wizard prompts to complete the installation procedure.



9. Click Browse to locate the certificate file (gd_iis_intermediates.p7b).

10. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification

Authorities. Click Next.11. Click Finish.

Installing the SSL Certificate into IIS

1. Select the Internet Information Service console within the Administrative Tools menu. 2. Select the Web site (host) for which the certificate was made. 3. Right mouse-click and select Properties. 4. Select the Directory Security tab.



5. Select the Server Certificate option. 6. The Welcome to the Web Server Certificate Wizard windows opens. Click OK. 7. Select Process the pending request and install the certificate. Click Next.



8. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).

9. When the correct certificate file is selected, click Next.

10. Verify the Certificate Summary to make sure all information is accurate. Click Next. 11. Select Finish.

Transferring the SSL Certificate to the Default Web Site

1. Select the Internet Information Service console within the Administrative Tools menu. 2. Select the Default Web site. 3. Right mouse-click and select Properties. 4. Select the Directory Security tab. 5. Select the Server Certificate

Page 10 of 13How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003 - The Windows ...


6. Select Replace the current certificate. Click Next.

7. Choose the new Certificate that was just installed on the Temporary site.

8. Verify the Certificate Summary to make sure all information is accurate. Click Next.

9. Select Finish.

Verify the Certificate is installed properly

1. Select the Internet Information Service console within the Administrative Tools menu. 2. Select the Default Web site.



3. Right mouse-click and select Properties. 4. Select the Directory Security tab. 5. Select the Select the Internet Information Service console within the Administrative Tools menu. 6. Select the Default Web site. 7. Right mouse-click and select Properties. 8. Select the Directory Security tab. 9. Select the View Certificate be sure that You have a private key that corresponds to this certificate.

10. Once you have verified that the certificate is installed you can delete the temporary web site created in the first section of this document.

This completes the process. This process is designed for servers without ISA. We are working on a follow-up post that will cover moving the certificate from IIS to ISA.

0

Comments

E-Bitz - SBS MVP the Official Blog of the SBS "Diva"22 Aug 2007 11:53 AM

Today's SBS blog post brought to you by James Frederickson, Damian Leibaschoff, and Justin Crosby

Jeff Dempsey22 Aug 2007 1:50 PM

For ISA, check out my procedure...

http://abc-solutions.org/Documents/How%20to%20install%20a%20cheap%20GoDaddy%20certificate.pdf

It can be used with other certificates, but I used GoDaddy because for $20/year, it's hard to beat that deal. It works, I sell this service, and it takes about an hour, if you have the e-mail for the domain technical contact (the whois one, not the SBS one).

Thanks for the standard one. I had (in mind) how to do it, but hadn't put it to paper (or pixels) yet.

Jeff

Chris Lehr23 Aug 2007 12:52 AM

Should really post that the p7b is a godaddy specific fix for proper SSL chaining

Jeff Dempsey24 Aug 2007 8:42 PM

Hi there,

Like 0



I published a procedure that does the ISA cert install last year, and so far, it is pretty successful. Feel free to use that as a start for your procedure!

Jeff

http://abc-solutions.org/Documents/How%20to%20install%20a%20cheap%20GoDaddy%20certificate.pdf

I know it says GoDaddy, but it can be used with other certificates. GoDaddy is cheap, though.

E-Bitz - SBS MVP the Official Blog of the SBS "Diva"14 Oct 2007 10:20 PM

Fasten your seatbelts. You need a third party Godaddy cert as the built in self signed cert won't

E-Bitz - SBS MVP the Official Blog of the SBS "Diva"4 Nov 2007 11:43 PM

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on

MVPs5 Nov 2007 12:05 AM

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on

E-Bitz - SBS MVP the Official Blog of the SBS "Diva"15 Dec 2007 12:11 AM

It all started when we needed to make a name change on the DSL account.. but you see.. we can't do

MVPs15 Dec 2007 12:36 AM

It all started when we needed to make a name change on the DSL account.. but you see.. we can't do

The Official Blog of the SBS "Diva"8 Feb 2008 10:26 AM

http://msmvps.com/blogs/bradley/archive/2008/02/08/double-check-those-ip-addressses.aspx When I was doing

MVPs8 Feb 2008 10:48 AM

http://msmvps.com/blogs/bradley/archive/2008/02/08/double-check-those-ip-addressses.aspx When I was doing

