How To Use SSL Certificates with SBS 2003

Lock

PadlockDuring a demo of Microsoft Small Business Server 2003 to a client recently, I was demonstrating the Remote Web Workplace (RWW) and Outlook Web Access (OWA) features. These are always a great selling point to anyone who is considering a server solution.

Browsing to – Internet Explorer naturally flashed up a screen to say “The security certificate presented by this web-site was not issued by a trusted certificate authority” – which is, of course, a correct statement when your server is using a self-signed certificate (as my server was). I clicked Continue, as I always do, and was about to demonstrate the excellent features of RWW when the client asked the question

“Why did that error pop-up?”

My usual response is “It’s nothing to worry about” but it did get me thinking. We are always trying to educate users not to click through warnings, especially on web-sites, without questioning why those warnings are there. The fact my own SBS server gives these warnings isn’t a great demonstration of security! So how to avoid this error?

Asking around a few other SMB Consultants on how they would tackle this issue gleaned a variety of answers, none of which were altogether conclusive. So here’s my attempt at explaining how to use SSL certificates with SBS 2003!

What are Trusted Certificates?

First, a crash-course in Trusted Certificates as they are used within SBS 2003. When you visit a secure (https) web-site, your web browser (in this case Internet Explorer) checks the certificate it is presented with by that web-site against a list of Certificate Authorities (CA) it know’s it can trust. Authorities such as Geotrust, Globalsign and Verisign. These are known as “Root Authorities” and are regularly updated by Microsoft.

So when you receive the error “The security certificate presented by this web-site was not issued by a trusted certificate authority” it simply means Internet Explorer cannot verify the certificate it has been presented by the web-site you are visiting as being created by a CA it can trust.

So the simple solution to this problem is – get yourself a Certificate created by a CA that IS trusted by Internet Explorer! Unfortunately, most of the big CA’s charge a small fortune (£100+/year) for such Certificates. For a SMB Consultant rolling out a dozen or more new SBS 2003 solutions per year, that’s going to be a nasty additional cost.

Using GoDaddy for Cheap SSL Certificates

Is there a cheaper alternative? Yes! Get yourself over to www.godaddy.com and buy one of their Turbo SSL Certificates at $34 (about £17) per year. Use the discount code “dl.tv” “YESSSL” for another 10% off a large discount. GoDaddy SSL Certificates are created by ValiCert who are a Trusted Root Authority.

Before you begin to create a new SSL certificate from GoDaddy, you need to do two things

  1. Decide the sites Common Name (i.e. remote.joebloggs.com) – this is the address that users who are typing in https://<yourcommonname>/rww will use and the address your certificate will become bound to.
  2. Make sure that the Administrative Contact for that domain (i.e. joebloggs.com) has a proper e-mail address that you can access. GoDaddy will send confirmations to this address and you’ll need to respond to it to proceed. You can usually check this information through a WHOIS lookup, or by contacting the ISP you registered the domain with.

When you go through the process of creating your GoDaddy SSL certificate, you’ll be asked to provide a Certificate Signing Request (CSR). This is a chunk of text that tells the SSL provider what to generate within the new Certificate. To create a CSR from your SBS 2003 server:-

  1. On your SBS 2003 server, open Server Management.
  2. Open Advanced Management > Internet Information Services > [your server] > Web-Sites > Default Web-Site.
  3. Right-Click Default Web-Site and select Properties.
  4. Open the Directory Security Tab and select Server Certificate
  5. Click Next and select “Remove the Current Certificate”. Follow the prompts to remove the certificate. SBS 2003 IIS Certificate Wizard Screenshot
  6. Go back into the Server Certificate option and select “Create a New Certificate”
  7. Select “Prepare the Request Now, but send it later” and click Next.
  8. Enter your Organization name (your Company name) and Organizational Unit. Make sure this is accurate as however unlikely, you may be quizzed on this by the CA later!
  9. Enter the sites common name. It’s very important you get this right! This entry would be your sites externally accessible name (i.e. remote.joebloggs.com – without the http) and not your servers internal name! Choose carefully here, as if you change your sites name in the future, the certificate you have bought may not work with it post-name change!
  10. Click Next and Fill in the required Geographic Information as required.
  11. Finally, save the request to a file in a location of your choice.

Once the CSR is created, you can open the file within Notepad and copy the information to your clipboard – ready to paste into GoDaddy’s Certificate Generation screen.

Download and Install the Certificate

GoDaddy will send you a variety of e-mails including an important one to the Administrative contact of the domain you are using. You’ll need to reply to this e-mail to confirm you are the owner of this domain, to enable the Certificate request to proceed.

Within a few minutes and a few e-mail responses, you should be able to download your new SSL certificate from GoDaddy’s web-site! Save this to your server.

Now we have the certificate, we will need to apply it to your server:-

  1. Open the Server Management console.
  2. Click Internet and E-mail.
  3. Click Connect to the Internet. The Configure E-mail and Internet Connection Wizard starts.
  4. On the Welcome page, click Next.
  5. On the Connection Type page, click Do not change connection type, and then click Next.
  6. On the Firewall page, click Do not change firewall configuration, and then click Next.
  7. On the Web Server Certificate page, click Use a Web server certificate from a trusted authority, click Browse.
  8. You’ll see the type of certificates SBS is looking for are .cer and your GoDaddy certificate may be named something different. In my case, I changed the drop-down list to search for “All Files” and the certificate worked anyway! You may need to use Internet Explorer to import the GoDaddy Certificate and then export it as a .cer file – but try it and see!SBS 2003 Configure E-Mail and Internet Connection Wizard Screenshot
  9. Navigate to and double-click the certificate file provided by GoDaddy, and then click Next.
  10. On the Internet E-mail page, click Do not change Internet e-mail configuration, and then click Next.
  11. On the Completing the Configure E-mail and Internet Connection Wizard page, click Finish.

Hopefully we’re all done!

Testing the Certificate

Open Internet Explorer and browse to the external address – i.e. and with any luck you shouldn’t get any sort of Internet Explorer Certificate warning, and you’ll be good to go! If you’re an SMB Consultant, next time you demo SBS 2003 to a client you won’t have to gloss over any of those error messages!

One thing to remember is that this Certificate verifies the identity of the server externally. If you accessed the server internally – i.e. https://yourserver/remote – you’d still get a warning message that the Certificate doesn’t match the actual server name.

There is a way around this, using a Certificate option known as “Subject Alternative Naming” (SAN). Using this option you can give your Certificate both an internal and external address to use. The catch? Price – you’ll usually find these types of servers are much more expensive.

If you’re still interested in using SAN – go take a look at the options at Globalsign. The company comes highly recommended – it’s owned by my Cousin Steven and he kindly helped me research the various options! 🙂

Another upside of using a 3rd Party Certificate is that if you own a Mobile device with an “always on” Internet connection, you can set it to synchronise with your Exchange Server and also push e-mails from Exchange directly to your device. I’ll document how I set that up next time!

Conclusion

I hope you find the above information useful and it saves you some time drawing together the various snippets of information you’ll find elsewhere on the ‘net. If you’ve got anything to add or any corrections for me, do leave a comment!

 

photo credit: Darwin Bell via photopin cc

Comments

  • Richard Tubb2013-02-28 09:45:00

    Awesome! Thanks for sharing that Mark, appreciate it!

  • Mark Poulding2013-02-28 09:36:57

    Just thought I would share a tip I found with renewing SSL Certificates especially on the older IIS 6 , when you start the process of purchasing a new SSL certificate your OWA or Activesyn will stop working because there is no SSL Certificate assigned to it....(i know we have had this problem mate) if you do the process of the above on the another website, i.e. (companyweb or SharePoint or even the WSUS) and when it is complete go back to your Default website. Remove the SSL certificate and then Assign an existing one, where you will see the new certificate. This process will work with IIS7 and the newer OS, except IIS7 as a dedicated area for SSL certificates and you do not need to apply to an existing site.

  • tubblog2011-07-02 12:05:01

    Thanks for the kind words - appreciated!

  • PlanIT Computing2011-07-01 22:57:31

    Excellent guide, clear and in depth.

  • Tubblog at 500 – Tips on Blogging Longevity « TubbBlog2011-02-28 08:59:38

    [...] nobody read at the time suddenly find a new audience as time goes on. The blog post I wrote about “Using SSL Certificates with SBS 2003” hardly got any visits when I first wrote it, but is now in my top five visited articles each week. [...]

  • I got “Freshly Pressed”! « TubbBlog2011-02-04 08:52:09

    [...] which articles stand the test of time. For instance, I can tell you that my blog post from 2007 “Using SSL Certificates with SBS 2003” is still regularly visited almost 4 years [...]

  • Richard2010-05-07 15:03:26

    Guy - thanks for sharing, 123-reg are a good company to deal with!

  • Guy2010-05-07 12:01:23

    If you're looking for a UK alternative to GoDaddy, 123-reg now offer SSL certs from £14.99/year.

  • Richard2010-02-17 13:58:41

    My main man Paul Dadge has mentioned that the code dl.tv no longer works with GoDaddy.However, the code PROMOSSL gives an SSL Certificate for $12.99 as opposed to $29.99 - thanks Dadger! :-)

  • Richard2009-11-16 07:11:17

    Pēteris - thanks for the link.I'm not aware of StartSSL - but we'll certainly take a look at it.Anybody else had any experience using this company?

  • Pēteris2009-11-15 08:22:47

    Actually http://www.startssl.com can provide certificates free of charge. Same instructions as above.

  • Warrick2009-10-02 15:38:57

    Thanks very much, your help was much appreciated... @wogsman

  • absolutforyou2008-01-22 14:10:09

    thank for this tips  

  • Rob2007-10-14 00:14:33

    Hi. Good info thanks.   If anyone is interested I have internal and external ssl access enabled using the godaddy cheapy cert. I just added a reverse DNS lookup for the external domain name to resolve to the internal IP address of the server. that way the domain 'domain.com' resolves internally and allows the cert to function. This also works for OMA through activesync over ssl.

  • Richard2007-09-27 15:47:24

    Hi Nick - I'd be happy to hear from anyone else who has experience working with SAN certificates, but my understanding is that a SAN Certificate can allow you to refer to a web-site as two (or more, depending on the certificate type) locations. So in your case, and would both be accessible. If you need more advice on CRM, then Julian Sharp at Vigence (http://www.vigence.com) comes recommended.

  • Nick2007-09-27 13:26:38

    Hi, would SAN allow us to Use CRM on SBS2003?   At the moment we have a self assigned certificate to allow us to use outllook over http externaly and it works great.   However if we want to use CRM the only way we can seem to get it to work is by using a certificate for servername.local which then breaks outlook over http.   Regards   Nick          

  • Andy2007-08-23 12:53:51

    Thanks for this - we were discussing the certificate process at work yesterday. Didn't know about the SAN option - thats handy.As for certificates, I used to use network solutions at $100 for a year - about 3 times cheaper than verisign but GoDaddy is about $18 now, or you can get a free ssl from startcom at http://cert.startcom.org/

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Send this to a friend