Solved

Need to replace an SSL certificate on Essentials Business Server 2008

Posted on 2010-09-02
11
1,607 Views
Last Modified: 2012-05-10
Hi,
I am in need to replace the self assigned SSL certificate on an Essentials Business Server 2008 envorinment. I am unsure on where the SSL was applied since all this was done during the setup wizard. I know there is an update SSL wizard but it seems that it only renews the current SSL certifiacte and does not update or replace a new one.
I purchased an UCC certificate for my domain since I will be using OWA, Outllok Anywhere and Sharepoint. (mail.mydomain.com, remote.mydomain.com, autodiscover.mydomain.com, sp.mydomain.com)
Has anybody ever done this?
Any help is greatly appreciated
0
Comment
Question by:sammydlc
  • 6
  • 5
11 Comments
 
LVL 13

Expert Comment

by:George Sas
ID: 33590910
I am not to familliar with the EBS 2008 but I guess it's some kinda SBS.
What do you need to use the certificate for beside Exchange ?
0
 

Author Comment

by:sammydlc
ID: 33592271
Yes EBS is similar to SBS but is actually consists of 3 servers. Forefront, Management and Messasing Exchange 2007. all running Windows server 2008. Its more like a complete setup for a mis size company. Well just like SBS it all works with Wizards and all SSL was created when the domain was setup via a wizard. I have been all day trying to figure out a way to apply this new 3rd party SSL from godaddy which has several subdomains which will enable me to use them to publish outlook anywhere.
0
 
LVL 13

Accepted Solution

by:
George Sas earned 500 total points
ID: 33592340
I think the easiest way is to import this certificate trough the Certificates management that you can add as a snapin in the MMC.
Start MMC > File > Add Remove Snap-In and select Certificates. Select Local computer and add it.
There you will be able to import the new certificate.
Then you will be able to replace the existing SSL certificate on whatever application you might need.

I found also a few articles that might help you :
http://blogs.technet.com/b/essentialbusinessserver/archive/2009/03/13/how-to-change-the-public-certificate-used-by-windows-essential-business-server-for-incoming-web-requests.aspx

Check the caption "The following steps are accomplished on the Security Server." on the upper article.


http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Essential_Business_Server/Q_26173503.html

http://wintivity.wigital.net/blog/2009/07/23/ebs-2008-certificates-installer-rww-terminal-services-gateway-outlook-rpc-http/

0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592385
So if you import the certificate trough MMC , I think you should be able to actually REPLACE the existing certificate trough the Update Certificate wizard.
0
 

Author Comment

by:sammydlc
ID: 33592407
yes but where can i start the request since godaddy is asking for a Certificate Signing Request (CSR)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 13

Expert Comment

by:George Sas
ID: 33592433
You can generate the CSR trough the IIS.
0
 

Author Comment

by:sammydlc
ID: 33592439
Which IIS since there is one on the Management and one on the Exchange
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592470
Take one that you want.
After importing the SSL , export it as PFX with private key so you can import it on the other machines.
Check the links I posted , there are some details about exporting.
0
 

Author Closing Comment

by:sammydlc
ID: 33598283
Solution links helped me find an article that allowed me to solve this issue
0
 

Author Comment

by:sammydlc
ID: 33598498
@ GeoSs: thanks for all your responses. Althought your links were very helpfull, I found an article which described how to apply the SSL for a Windows Mobile device.
this is what I did:

I purchased a Godaddy UCC certificate.
Since I would be using several subdomains, I created the following.
remote.mydomain.com - Used by Remote Web Workplace
webmail.mydomain.com - Used by OWA
autodiscover.mydomain.com - Used by Outlook 2007-2010 fir Outlook Anywhere
myexchangenetbiosname.mydomain.local - For internal Users
myexchangenetbios - For internal Users

First, on the Security Server I created a SSL REquest by doing the following.

To obtain and install a trusted third-party certificate, you will need to do the following on the Security Server:
a. Create a certificate signing request with the Create Certificate Request wizard (in the IIS Manager).
b. Request and purchase a certificate from a certificate vendor (an online procedure, which may vary depending on the vendor).
c. Save the certificate sent by the certificate vendor in Windows EBS 2008.
d. Install the certificate with the Complete Certificate Request wizard in the IIS Manager.
e. Assign the third-party certificate to the appropriate site in IIS Manager.

This is the Step By Step instructions on how to do this.
Create a certificate signing request with the Create Certificate Request wizard
In order to create a certificate signing request on the Security Server, you will need to do the following: Connect to the IIS Manager on the Security Server via the Windows Essential Business Server Administration Console.
1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
2. Click Computers and Devices. Select the Security Server from the list of servers and click IIS Manager from the Tasks pane.
3. Click the Connect button and enter the user name and password to connect to the Security Server. Click Ok.
4. In the IIS Manager, click on the server name in the Connections pane and then double-click Server Certificates in the Workspace area.
5. In the Actions pane, click Create Certificate Request.
6. Enter the required information for the certificate in the Request Certificate wizard. Click Next.
7. Leave the default settings in Cryptographic Service Provider Properties as is and click Next.
8. Enter a filename for your Certificate Signing Request (CSR)
9. You will need to use the signing code stored in this file while creating an online order for a trusted certificate. You will need to copy the file contents into the online order process when prompted.

********
Request and purchase a certificate from a certificate vendor This is an online process which requires you to purchase a trusted third-party certificate from a Certificate Authority (CA). This process may vary depending on the CA you decide to buy the certificate from. During the purchase process, you will need to provide the contents of the CSR file that was created with the Create Certificate Request wizard. Ensure that the information you enter during this process matches what you entered in the Certificate Request wizard.

Save the certificate sent by the certificate vendor in Windows EBS 2008 The certificate vendor may e-mail the certificate as an attachment, in a ZIP file. Extract the contents and save the .CER file on the Security Server. This certificate will now need to be installed in the IIS Manager.

Install the Certificate on the Security Server
HEre are the steps
Install the third-party certificate provided by the Certificate Authority
1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
2. Click Computers and Devices. Select the Security Server from the list of servers and click IIS Manager from the Tasks pane.
3. Click the Connect button and enter the user name and password to connect to the Security Server. Click Ok.
4. In the IIS Manager, click on the server name in the Connections pane and then double-click Server Certificates in the Workspace area.
5. In the Tasks pane click Complete Certificate Request.
6. Browse to the certificate file that you saved on the Security Server, enter a Friendly name. The friendly name is meant to easily distinguish it from other certificates.
7. Click Ok to install the certificate to the server.

Assign the certificate to the Security Server
Assign the third-party certificate to the appropriate site in IIS Manager The trusted third-party certificate needs to be assigned to the default Web site on the Messaging Server. This process involves using the Bindings option in the IIS Manager. You need to do the following:
1. Launch the Windows Essential Business Server Administration Console.
2. Click Computers and Devices. Select the Messaging Server from the list of servers and click IIS Manager from the Tasks pane.
3. Click the Connect button and enter the user name and password to connect to the Security Server. Click Ok.
4. In the IIS Manager Connections pane, expand the Server node, expand Sites, and click Default Web Site.
5. Click Bindings in the Actions pane.
6. Click the Add button in the Site Bindings dialog box.
7. Click the Type drop-down list and select https. Port 443 will automatically be assigned to this site.
8. Click the SSL certificate drop-down list, select the self-signed/trusted third-party certificate you just installed on the server.
9. Click View to make sure the right certificate has been chosen. You can verify this by checking the Issued To and Issued By details. Click Ok to close the Certificate dialog box.
10. Click Ok to complete the process.

INSTALL CERTIFICATE ON Security Server ForeFront Console
This step needs to be done on the TMGF Console. I really got confused with other articles that never pointed out that the SSL needs to be installed on the IIS Manager for the Security Server only.

Here are the steps.
Since the security server provides firewall protection and Web antivirus protection as part of the Windows EBS 2008 solution, it is able to isolate external networks from the internal Windows EBS 2008 network. In order to allow incoming requests to access the Exchange mailbox over a HTTPS connection, you will need to do the following:
a. Install the third-party certificate in the Trusted Root Certificate store of the security server.
b. Add the third-party certificate for the external Web listener in Forefront TMG.
c. Finally, install the third-party certificate on a Windows Mobile device, if it is not listed in the Windows Mobile device certificate store.
STEP BY STEP :
To add a certificate for the external Web listener, do the following:
1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
2. Click the Security tab, click Network firewall, and then in the tasks pane, click Start Forefront Threat Management Gateway console.
3. Click Connect and enter the user name and password to view the Forefront TMG console on the Security Server.
4. In the console tree of Forefront TMG, expand the name of your Security Server, and then click Firewall Policy.
5. In the results pane, double-click Remote Web Workplace Publishing Rule.
6. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
7. Select External Web Listener from the list, and then click Properties.
8. In External Web Listener Properties, click the Certificates tab.
9. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
10. In the Select Certificate dialog box, highlight the third-party certificate that was previously installed and then click Select. Click OK twice to close the Properties dialog boxes.
11. To save changes and update the configuration, click Apply in the results pane.

After 2 days of digging around the internet I was able to apply the SSL to the EBS 2008 server.
Now I can go to my computer, browse to https://remote.mydomain.com and my certificate will indicate that it was issued by GODADDY instead of my internal Server.
Also if you notice that your pc is still receiveing the old SSL certificate, go to Tools, Internet Options
Click the Content Tab and click CLEAR SSL State to reliease old certificate.

I hope this instructions can help somebody trying to accomplish this task.
I will inclide the article that helped me add the certificate.





DEPLOYMENT-GUIDE---EBS2008-with-.pdf
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33599535
Thanks for the points. Glad you solved the problem and that I could be of help.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now