Introducing the “Add a Trusted Certificate Wizard” in SBS 2008
[Today's post comes to us courtesy of Shawn Sullivan]
The purpose of the “Add a trusted certificate wizard” is to simplify the process of requesting and obtaining a trusted 3rd party SSL certificate for the SBS Web Applications website in IIS 7. This eliminates the need to use the native IIS 7 interface, which is more complicated and time consuming. However, this wizard only works with the SBS Web Application site. It does not submit or process certificate requests for any other website; in this case you must use the native IIS 7 console.
NOTE: The SBS Web Applications site contains all the Exchange virtual directories (AutoDiscover, OWA, Offline Address Book, ActiveSync, and Outlook Anywhere), Remote Web Workplace, and the configuration directory for the Vista client desktop gadget.
This wizard is used mainly to eliminate the need to distribute the SBS certificate installation package to your users; removing the certificate error prompts that users would otherwise receive when they do not trust the SBS 2008 server as a certificate authority. You must complete the Internet Address Management Wizard (IMAW) to configure your external domain name prior to running it.
You can access it in the Windows SBS Console under Getting Started Tasks on the Home tab. It’s also available when you click on your web server certificate under Network > Connectivity.
As is mentioned in the opening page, this wizard is run in two parts. If you have not created a certificate request, then the wizard will start there. If you have a pending request, the wizard will ask you to begin the import process.
Get the certificate
If you do not already have a valid trusted 3rd party certificate bound to IIS, you will be presented with the option to either buy one or to use one that is already installed in the certificate store on the system. For instance, you may have exported a trusted certificate from another server and want to install it on this machine.
If a valid 3rd party certificate is detected, you will have the option to either renew the certificate or replace it with a new one.
All the information need to generate the request is pulled from the current configuration of SBS, including the external domain name that you have configured in the IAMW. If any changes need to be made, do it on this screen before submitting the request to your certificate provider.
At this point, you can copy the request into the web page of the certificate service provider’s website of your choosing. You should also copy this text to a file as a backup. By default, it is saved as “SBSCertRequest.txt” in the My Documents directory.
A request is in progress
Once you have generated the request, you will have the option to close the wizard while you wait for the response, complete the process with the response, or to cancel the request and use the self-signed SBS certificate created by the IAMW. Depending on the certificate provider that you are using, you could receive an immediate response or it can take some time.
To complete the process, you can either paste in the encoded response text or browse to the selected certificate file that you have received from your certificate provider. The certificate will then be bound to the SBS Web Applications site.
Managing Web Server Certificates in SBS 2008: http://technet.microsoft.com/en-us/library/cc546068.aspx
Configuring Internet Server Certificates in IIS 7: http://technet.microsoft.com/en-us/library/cc731977.aspx
Certificate Use in Exchange Server 2007: http://technet.microsoft.com/en-us/library/bb851505.aspx