Share via


How to Manually Install Certificates in SBS 2008

[Today’s post comes to us courtesy of Mark Stanfill]

The SBS Add a Trusted Certificate wizard may fail to display a certificate that is correctly installed in the certificate store if the subject field of the certificate is missing. This happens because some third-party certificate authorities (CAs) issue certificates with a blank subject. The Subject Alternative Name field is used to designate the fully qualified domain name (FQDN) of the certificate instead. This article documents how to manually install these types of certificates.

The behavior that you will see is that the certificate will be correctly installed in the computer’s personal certificate store, but will not show up in the Add a Trusted Certificate Wizard. In the example screenshots below, the external URL being published is remote.contoso.com.

image

image

Workaround

To use the certificate, you will need to manually assign it to the web site in IIS.  The instructions below assume that the certificate Subject Alternative Name matches the Internet Domain Name on the Network\Connectivity tab of the Windows SBS Console.  If the name does not match, first run the Internet Address Management Wizard (IAMW) by clicking on the Set up your Internet address link in the console.  This will assign a self-signed certificate temporarily, but also makes other important configuration changes.

Use these steps to assign the certificate:

1. Log on to the SBS server as an administrator and launch the Internet Services Manager (IIS Manager) console.

2. Select the SBS SharePoint site and click on Bindings…

3. Select https and click Edit…

4. Select your certificate from the drop-down list under SSL certificate: .  Click View… to verify that the certificate is correct based on the Subject Alternative Name field, issuer, etc.

clip_image001

5. Repeat steps 2-4 for the SBS Web Applications SSL binding on port 443.

clip_image002

6. Obtain the thumbprint of the newly installed certificate by opening an elevated Exchange Management Shell prompt and typing the command Get-ExchangeCertificate.  The newly installed certificate should have no services assigned to it.  Verify the thumbprint value from Exchange Management Shell against the properties of the actual certificate.

clip_image003

 clip_image004

7. Copy the certificate thumbprint from step 6 and run the command

Enable-ExchangeCertificate -Thumbprint <THUMBRPINT> -Services "POP, IMAP, IIS, SMTP"

Where <THUMBRPINT> is the actual thumbprint.  When prompted to overwrite the existing services, answer A for all.

clip_image005

8. Verify the Terminal Services Gateway certificate settings.  Launch the TS Gateway Manager from START\All Programs\Administrative Tools\Terminal Services\TS Gateway Manager.  Right-click on the SBS server name and choose Properties.  On the SSL Certificate tab, click on Browse Certificates… and select the appropriate certificate.

clip_image006

Comments

  • Anonymous
    January 01, 2003
    Hi Mark VHB, To do this properly, you should run the IAMW again and choose a prefix such as mail or remote instead of local. Then register your records under the companyname.be zone.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    December 14, 2009
    Thanks Mark! You rock once again. :-) Steve

  • Anonymous
    December 15, 2009
    Do you know of a way of changing the CN on before issuing? as during the mirgration from 2003 to 2008 we are now left with mail.domain.com.au & remote.domain.com.au. this means my mobile device will not communicate with the server as the server is sending out remote.domain.com.au and the certificate is issued as mail.domain.com.au....

  • Anonymous
    January 05, 2010
    I can't get the right certificate to be used for IMAP and POP3... The certificate was normally available in the certificate wizard, but I enabled IMAP+POP3 after running that wizard. It always comes with a certificate signed by the <company>-<server>-CA Output of Enable-ExchangeCertificate : [PS] C:WindowsSystem32>Enable-ExchangeCertificate -Thumbprint A8AFA66409E84FC 977E13F31DA4C865B94E7F86 -Services "POP, IMAP, IIS, SMTP" WARNING: This certificate will not be used for external TLS connections with an FQDN of 'remote.domain.com' because the CA-signed certificate with thumbprint 'D02EFE51B7A2AE52DC0EC8D398782212D4454F88' takes precedence. The following connectors match that FQDN: Windows SBS Internet Receive SBS. Confirm Overwrite existing default SMTP certificate, 'D02EFE51B7A2AE52DC0EC8D398782212D4454F88' (expires 1/5/2012 11:16:03 PM), with certificate 'A8AFA66409E84FC7977E13F31DA4C865B94E7F86' (expires 3/5/2012 12:59:59 AM)? [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help Thumbprint                                Services   Subject ----------                                --------   ------- D02EFE51B7A2AE52DC0EC8D398782212D4454F88  IP..S      CN=remote.domain.com 1F08FB4FFF4BC9F1C83A991E1B006AC19502AB98  .....      CN=WMSvc-WIN-89FFDODTUY0 F2334F168571E4BB1EEEBFE36C01FD6178301D4C  ....S      CN=SBS.domain.local 4E4B32683943603B2B0D30F7ADA72D54DF81227D  ....S      CN=Sites 07298E0B98C552E82FCA2A3E313FAFFFA990ADAB  .....      CN=domain-SBS-CA A8AFA66409E84FC7977E13F31DA4C865B94E7F86  IP.WS      CN=remote.domain.com,... What am I doing wrong here ? Note that the last Thumbprint is my bought certificate, signed by Thawte.

  • Anonymous
    January 06, 2010
    The comment has been removed

  • Anonymous
    December 02, 2015
    The comment has been removed