Solved

Need to replace an SSL certificate on Essentials Business Server 2008

Posted on 2010-09-02
11
1,619 Views
Last Modified: 2012-05-10
Hi,
I am in need to replace the self assigned SSL certificate on an Essentials Business Server 2008 envorinment. I am unsure on where the SSL was applied since all this was done during the setup wizard. I know there is an update SSL wizard but it seems that it only renews the current SSL certifiacte and does not update or replace a new one.
I purchased an UCC certificate for my domain since I will be using OWA, Outllok Anywhere and Sharepoint. (mail.mydomain.com, remote.mydomain.com, autodiscover.mydomain.com, sp.mydomain.com)
Has anybody ever done this?
Any help is greatly appreciated
0
Comment
Question by:sammydlc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 13

Expert Comment

by:George Sas
ID: 33590910
I am not to familliar with the EBS 2008 but I guess it's some kinda SBS.
What do you need to use the certificate for beside Exchange ?
0
 

Author Comment

by:sammydlc
ID: 33592271
Yes EBS is similar to SBS but is actually consists of 3 servers. Forefront, Management and Messasing Exchange 2007. all running Windows server 2008. Its more like a complete setup for a mis size company. Well just like SBS it all works with Wizards and all SSL was created when the domain was setup via a wizard. I have been all day trying to figure out a way to apply this new 3rd party SSL from godaddy which has several subdomains which will enable me to use them to publish outlook anywhere.
0
 
LVL 13

Accepted Solution

by:
George Sas earned 500 total points
ID: 33592340
I think the easiest way is to import this certificate trough the Certificates management that you can add as a snapin in the MMC.
Start MMC > File > Add Remove Snap-In and select Certificates. Select Local computer and add it.
There you will be able to import the new certificate.
Then you will be able to replace the existing SSL certificate on whatever application you might need.

I found also a few articles that might help you :
http://blogs.technet.com/b/essentialbusinessserver/archive/2009/03/13/how-to-change-the-public-certificate-used-by-windows-essential-business-server-for-incoming-web-requests.aspx

Check the caption "The following steps are accomplished on the Security Server." on the upper article.


http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Essential_Business_Server/Q_26173503.html

http://wintivity.wigital.net/blog/2009/07/23/ebs-2008-certificates-installer-rww-terminal-services-gateway-outlook-rpc-http/

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 13

Expert Comment

by:George Sas
ID: 33592385
So if you import the certificate trough MMC , I think you should be able to actually REPLACE the existing certificate trough the Update Certificate wizard.
0
 

Author Comment

by:sammydlc
ID: 33592407
yes but where can i start the request since godaddy is asking for a Certificate Signing Request (CSR)
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592433
You can generate the CSR trough the IIS.
0
 

Author Comment

by:sammydlc
ID: 33592439
Which IIS since there is one on the Management and one on the Exchange
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592470
Take one that you want.
After importing the SSL , export it as PFX with private key so you can import it on the other machines.
Check the links I posted , there are some details about exporting.
0
 

Author Closing Comment

by:sammydlc
ID: 33598283
Solution links helped me find an article that allowed me to solve this issue
0
 

Author Comment

by:sammydlc
ID: 33598498
@ GeoSs: thanks for all your responses. Althought your links were very helpfull, I found an article which described how to apply the SSL for a Windows Mobile device.
this is what I did:

I purchased a Godaddy UCC certificate.
Since I would be using several subdomains, I created the following.
remote.mydomain.com - Used by Remote Web Workplace
webmail.mydomain.com - Used by OWA
autodiscover.mydomain.com - Used by Outlook 2007-2010 fir Outlook Anywhere
myexchangenetbiosname.mydomain.local - For internal Users
myexchangenetbios - For internal Users

First, on the Security Server I created a SSL REquest by doing the following.

To obtain and install a trusted third-party certificate, you will need to do the following on the Security Server:
a. Create a certificate signing request with the Create Certificate Request wizard (in the IIS Manager).
b. Request and purchase a certificate from a certificate vendor (an online procedure, which may vary depending on the vendor).
c. Save the certificate sent by the certificate vendor in Windows EBS 2008.
d. Install the certificate with the Complete Certificate Request wizard in the IIS Manager.
e. Assign the third-party certificate to the appropriate site in IIS Manager.

This is the Step By Step instructions on how to do this.
Create a certificate signing request with the Create Certificate Request wizard
In order to create a certificate signing request on the Security Server, you will need to do the following: Connect to the IIS Manager on the Security Server via the Windows Essential Business Server Administration Console.
1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
2. Click Computers and Devices. Select the Security Server from the list of servers and click IIS Manager from the Tasks pane.
3. Click the Connect button and enter the user name and password to connect to the Security Server. Click Ok.
4. In the IIS Manager, click on the server name in the Connections pane and then double-click Server Certificates in the Workspace area.
5. In the Actions pane, click Create Certificate Request.
6. Enter the required information for the certificate in the Request Certificate wizard. Click Next.
7. Leave the default settings in Cryptographic Service Provider Properties as is and click Next.
8. Enter a filename for your Certificate Signing Request (CSR)
9. You will need to use the signing code stored in this file while creating an online order for a trusted certificate. You will need to copy the file contents into the online order process when prompted.

********
Request and purchase a certificate from a certificate vendor This is an online process which requires you to purchase a trusted third-party certificate from a Certificate Authority (CA). This process may vary depending on the CA you decide to buy the certificate from. During the purchase process, you will need to provide the contents of the CSR file that was created with the Create Certificate Request wizard. Ensure that the information you enter during this process matches what you entered in the Certificate Request wizard.

Save the certificate sent by the certificate vendor in Windows EBS 2008 The certificate vendor may e-mail the certificate as an attachment, in a ZIP file. Extract the contents and save the .CER file on the Security Server. This certificate will now need to be installed in the IIS Manager.

Install the Certificate on the Security Server
HEre are the steps
Install the third-party certificate provided by the Certificate Authority
1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
2. Click Computers and Devices. Select the Security Server from the list of servers and click IIS Manager from the Tasks pane.
3. Click the Connect button and enter the user name and password to connect to the Security Server. Click Ok.
4. In the IIS Manager, click on the server name in the Connections pane and then double-click Server Certificates in the Workspace area.
5. In the Tasks pane click Complete Certificate Request.
6. Browse to the certificate file that you saved on the Security Server, enter a Friendly name. The friendly name is meant to easily distinguish it from other certificates.
7. Click Ok to install the certificate to the server.

Assign the certificate to the Security Server
Assign the third-party certificate to the appropriate site in IIS Manager The trusted third-party certificate needs to be assigned to the default Web site on the Messaging Server. This process involves using the Bindings option in the IIS Manager. You need to do the following:
1. Launch the Windows Essential Business Server Administration Console.
2. Click Computers and Devices. Select the Messaging Server from the list of servers and click IIS Manager from the Tasks pane.
3. Click the Connect button and enter the user name and password to connect to the Security Server. Click Ok.
4. In the IIS Manager Connections pane, expand the Server node, expand Sites, and click Default Web Site.
5. Click Bindings in the Actions pane.
6. Click the Add button in the Site Bindings dialog box.
7. Click the Type drop-down list and select https. Port 443 will automatically be assigned to this site.
8. Click the SSL certificate drop-down list, select the self-signed/trusted third-party certificate you just installed on the server.
9. Click View to make sure the right certificate has been chosen. You can verify this by checking the Issued To and Issued By details. Click Ok to close the Certificate dialog box.
10. Click Ok to complete the process.

INSTALL CERTIFICATE ON Security Server ForeFront Console
This step needs to be done on the TMGF Console. I really got confused with other articles that never pointed out that the SSL needs to be installed on the IIS Manager for the Security Server only.

Here are the steps.
Since the security server provides firewall protection and Web antivirus protection as part of the Windows EBS 2008 solution, it is able to isolate external networks from the internal Windows EBS 2008 network. In order to allow incoming requests to access the Exchange mailbox over a HTTPS connection, you will need to do the following:
a. Install the third-party certificate in the Trusted Root Certificate store of the security server.
b. Add the third-party certificate for the external Web listener in Forefront TMG.
c. Finally, install the third-party certificate on a Windows Mobile device, if it is not listed in the Windows Mobile device certificate store.
STEP BY STEP :
To add a certificate for the external Web listener, do the following:
1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
2. Click the Security tab, click Network firewall, and then in the tasks pane, click Start Forefront Threat Management Gateway console.
3. Click Connect and enter the user name and password to view the Forefront TMG console on the Security Server.
4. In the console tree of Forefront TMG, expand the name of your Security Server, and then click Firewall Policy.
5. In the results pane, double-click Remote Web Workplace Publishing Rule.
6. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
7. Select External Web Listener from the list, and then click Properties.
8. In External Web Listener Properties, click the Certificates tab.
9. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
10. In the Select Certificate dialog box, highlight the third-party certificate that was previously installed and then click Select. Click OK twice to close the Properties dialog boxes.
11. To save changes and update the configuration, click Apply in the results pane.

After 2 days of digging around the internet I was able to apply the SSL to the EBS 2008 server.
Now I can go to my computer, browse to https://remote.mydomain.com and my certificate will indicate that it was issued by GODADDY instead of my internal Server.
Also if you notice that your pc is still receiveing the old SSL certificate, go to Tools, Internet Options
Click the Content Tab and click CLEAR SSL State to reliease old certificate.

I hope this instructions can help somebody trying to accomplish this task.
I will inclide the article that helped me add the certificate.





DEPLOYMENT-GUIDE---EBS2008-with-.pdf
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33599535
Thanks for the points. Glad you solved the problem and that I could be of help.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question