texan_gerbil
asked on
How to load a reissued SSL certificate on a SBS 2008 server?
I'm not getting much help from the certificate issuer so I'll throw it out to you guys.
Current setup:
I have 3 servers, SBS2008 and two IIS servers.
I have an SSL certificate with SAN successfully installed on the SBS box (using the SBS console wizard).
Problem:
The IIS servers both need a certificate installing for https so I have had my SAN cert reissued with extra SANs to use on these servers as well (cert is licensed for 3 servers so that's fine).
I have established that in order to successfully load the reissued cert onto my IIS servers I need to export it with key as .pfx on the original server and then import said pfx onto the other two servers. (I have done this successfully on one but of course it throws up cert errors in a browser as the version of the cert I exported/imported is the original without the extra SANs).
What I am having a surprising amount of trouble establishing is how to replace my original cert with the reissue on the SBS box, so that I can export/import it onto the other servers.
What I've tried so far:
I have tried regenerating a CSR with the SBS wizard and then loading the revised cert but it rejects it as not compatible.
I have tried importing a certificate already on the server (ie the reissue which I manually imported using MMC certificates snapin) using the SBS wizard but again it rejects it.
There are no more options in the SBS Wizard.
From previous experience I know that the standard Exchange 2007 ways of loading a certificate using EMS commands don't work on a SBS box.
Am I up a dead end? Is there any way of getting SBS2008 to accept a certificate with extra SANs?
Current setup:
I have 3 servers, SBS2008 and two IIS servers.
I have an SSL certificate with SAN successfully installed on the SBS box (using the SBS console wizard).
Problem:
The IIS servers both need a certificate installing for https so I have had my SAN cert reissued with extra SANs to use on these servers as well (cert is licensed for 3 servers so that's fine).
I have established that in order to successfully load the reissued cert onto my IIS servers I need to export it with key as .pfx on the original server and then import said pfx onto the other two servers. (I have done this successfully on one but of course it throws up cert errors in a browser as the version of the cert I exported/imported is the original without the extra SANs).
What I am having a surprising amount of trouble establishing is how to replace my original cert with the reissue on the SBS box, so that I can export/import it onto the other servers.
What I've tried so far:
I have tried regenerating a CSR with the SBS wizard and then loading the revised cert but it rejects it as not compatible.
I have tried importing a certificate already on the server (ie the reissue which I manually imported using MMC certificates snapin) using the SBS wizard but again it rejects it.
There are no more options in the SBS Wizard.
From previous experience I know that the standard Exchange 2007 ways of loading a certificate using EMS commands don't work on a SBS box.
Am I up a dead end? Is there any way of getting SBS2008 to accept a certificate with extra SANs?
ASKER
That doesn't work either (sorry forgot to mention that). If I do what you suggest, I get an error on loading the cert saying it doesn't match the pending request. This suggests perhaps that the details in the request file don't match the reissued cert, but I am entering exactly what the issuer told me to.
I know the import pfx route will work if i can only load the new cert onto the SBS server.
I know the import pfx route will work if i can only load the new cert onto the SBS server.
How are the HTTPS calls managed? Are they managed by a setup in ISA/TMG to deliver HTTPS requests to a certain server depending on the URL? Or is a gateway device using aliased IPs to deliver HTTP/HTTPS to each of the three servers?
Your CSR on each IIS should be:
IIS 1: sub1.domain.com
IIS 2: sub2.domain.com
SBS: remote.domain.com
Using a CSR via each server assures you that you have the correct primary common name and then the subdomains would be irrelevant.
Since your certificate provider allows for three servers, the above scenario should work.
Philip
Your CSR on each IIS should be:
IIS 1: sub1.domain.com
IIS 2: sub2.domain.com
SBS: remote.domain.com
Using a CSR via each server assures you that you have the correct primary common name and then the subdomains would be irrelevant.
Since your certificate provider allows for three servers, the above scenario should work.
Philip
ASKER
I think I see what you're saying. The latter scenario is what we do - firewall with NAT.
The only certificate I have been issued has common name remote.domain.com. At no point has anyone at issuer's agent or issuer (Globalsign btw) said anything about creating CSRs on the IIS servers with different common names. When I have done it as a test I have used remote.domain.com on all servers.
What you're suggesting would be fine if I effectively had three independent certificates, but I though that was the point of a SAN certificate - the same cert contains all the required domain names so you only need one instance.
Sorry, I don't know much about the ins and outs of all this and I'm getting steadily more confused...
The only certificate I have been issued has common name remote.domain.com. At no point has anyone at issuer's agent or issuer (Globalsign btw) said anything about creating CSRs on the IIS servers with different common names. When I have done it as a test I have used remote.domain.com on all servers.
What you're suggesting would be fine if I effectively had three independent certificates, but I though that was the point of a SAN certificate - the same cert contains all the required domain names so you only need one instance.
Sorry, I don't know much about the ins and outs of all this and I'm getting steadily more confused...
You have a point. In my digging around looking for specific info on configuring SAN certificates for SBS I did not see anything specific.
Does the certificate provider revoke any previous certificates when you generate/re-issue a new one?
Philip
Does the certificate provider revoke any previous certificates when you generate/re-issue a new one?
Philip
ASKER
I agree. I've not found anything specific to SBS either. I only got the original certificate installed correctly on the SBS box with the help of demazter here on EE - he was adamant that you have to use the wizard or the cert won't install correctly - the usual Exchange 2007 instructions using EMS commands don't work (which I confirmed).
To answer your question, I don't think they do revoke the previous certs - I'm still running the original certificate happily on the SBS box.
To answer your question, I don't think they do revoke the previous certs - I'm still running the original certificate happily on the SBS box.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So let me get this straight. You're suggesting that I -
leave the SBS server as is;
generate two new CSRs for the two IIS servers with sub1.domain.com and sub2.domain.com as common names;
submit them to Globalsign and get them to make 2 reissues of the certificate with different common names to the original?
I can but ask them, although it may be Monday before I get a response. Watch this space...
leave the SBS server as is;
generate two new CSRs for the two IIS servers with sub1.domain.com and sub2.domain.com as common names;
submit them to Globalsign and get them to make 2 reissues of the certificate with different common names to the original?
I can but ask them, although it may be Monday before I get a response. Watch this space...
That is one option if they are amicable to it.
If not, then use the other server's IIS CSR to obtain a re-issue of the cert _for that server_ so that IIS gets a cert it requested.
Philip
If not, then use the other server's IIS CSR to obtain a re-issue of the cert _for that server_ so that IIS gets a cert it requested.
Philip
ASKER
I generated a new CSR on one of the IIS servers using the same common name (remote.domain.com), got the cert reissued against it and installed it OK. Then exported it to pfx and imported it onto the other one.
I still have the original issue cert installed on my SBS server and no-one has yet explained how I can replace that, although I don't need to. Just hope I can do it when the cert need renewing...
I still have the original issue cert installed on my SBS server and no-one has yet explained how I can replace that, although I don't need to. Just hope I can do it when the cert need renewing...
When the time comes, delete the cert out of the Personal Cert store that is currently being used _after_ using the wizard to generate a new CSR.
Once the new cert is issued and the old one is deleted you can then use the wizard to import the newly generated cert.
You would be good to go from there.
Philip
Once the new cert is issued and the old one is deleted you can then use the wizard to import the newly generated cert.
You would be good to go from there.
Philip
Why use the SBS wizard when realistically that is not what it was meant for.
Philip