pctechmi
asked on
SSL Certificate Import in SBS 2011 to SBS 2011
I am doing a migration from SBS 2011 to 2011 (changing hardware and wanting a clean install of SBS). I have followed the MS instructions to export my trusted SSL certificate from the old server and copied it to the new one.
If I browse to the Computer Personal Certificate store I can see the certificate in there, however when I run the Add a Trusted Certificate Wizard and browse for certificates it does not appear in the list.
When I go to help on SBS it says this below. Guess what they are in that location.
If the trusted certificate that you want to add is not listed:
It may not be in the Certificates\Personal store. Search for the certificate and import it into the correct certificate store.
Any ideas?
If I browse to the Computer Personal Certificate store I can see the certificate in there, however when I run the Add a Trusted Certificate Wizard and browse for certificates it does not appear in the list.
When I go to help on SBS it says this below. Guess what they are in that location.
If the trusted certificate that you want to add is not listed:
It may not be in the Certificates\Personal store. Search for the certificate and import it into the correct certificate store.
Any ideas?
Last Comment
ASKER
the name is exactly the same mail.domain.com
I have run the other wizards for the network. Everything detailed in migration guide before hand and have the certificates imported and they are in the Personal folder as listed in instructions. When I run the add trusted certificate option in the SBS Console it only shows self signed certificates.
I have run the other wizards for the network. Everything detailed in migration guide before hand and have the certificates imported and they are in the Personal folder as listed in instructions. When I run the add trusted certificate option in the SBS Console it only shows self signed certificates.
The certificate should be imported to the computer-account - not the user-account. The IIS and Exchange only see the computer-account-certifica
You can open a "MMC" and choose the certificates-Plugin. After choosing it it will ask you if you want the local machines or the user-certificates. Use the local machine and import the certificate again.
The external-Address of your CN must be in the external-address-fields within your servers client-connectivity-config
You can open a "MMC" and choose the certificates-Plugin. After choosing it it will ask you if you want the local machines or the user-certificates. Use the local machine and import the certificate again.
The external-Address of your CN must be in the external-address-fields within your servers client-connectivity-config
ASKER
Yes I did use the computer account. Here are the exact steps I followed.
To export a trusted certificate from the Source Server
1. On the Source Server, click Start, click Run, type mmc.exe, and then press ENTER.
2. On the console, click File, and then click Add/Remove Snap-in.
3. Click Add, choose Certificates from the list, click Add, and then click OK.
4. In the pop-up window that appears, click Computer Account, click Finish, and then click OK.
5. Expand Certificates, expand Personal, and then click Certificates.
6. Right-click the certificate that is issued to your website (for example: remote.contoso.com), click All Tasks, and then click Export.
Note
There may be multiple certificates with the same name. Ensure that you choose a certificate that has a valid expiration date and that was issued by a trusted authority. If you are not sure which certificate to use, open Internet Information Services (IIS), determine which certificate IIS is using on the Source Server, and then choose the same certificate.
7. In the Certificate Export Wizard, click Next.
8. Ensure Yes, export the private key is selected, and then click Next.
9. Ensure Include all certificates in the certificate path if possible and Export all extended properties are selected, and then click Next. Do not select Delete the private key if the export is successful.
10. Type a password to protect the certificate file, and then click Next.
11. Choose a location to save the .pfx file (for example, C:\trustedcert.pfx), and then click Next.
12. Finish the wizard.
To import the trusted certificate to the Destination Server
1. Move the trustedcert.pfx file to the Destination Server by using the network or a USB flash drive.
2. On the Destination Server, click Start, type mmc.exe, and then press ENTER.
3. On the console, click File, and then click Add/Remove Snap-in.
4. Choose Certificates from the list, and then click Add.
5. In the pop-up window that appears, select Computer Account, click Finish, and then click OK.
6. Expand Certificates, expand Personal, and then click Certificates.
7. Right-click Certificates, click All Tasks, and then click Import.
8. On the Certificate Import Wizard Welcome page, click Next.
9. Browse to the location of the saved .pfx file, and then click Next.
10. Type the password that you typed in the Export procedure, ensure that Mark this key as exportable and Include all extended properties are selected, and then click Next.
11. Ensure that the certificate is imported to the Personal folder, and then click Next.
12. Finish the wizard.
To ensure that the Destination Server is using the newly imported certificate, run the Add a Trusted Certificate Wizard:
To run the Add a Trusted Certificate Wizard
1. Open the Windows SBS 2011 Standard Console.
2. On the navigation bar, click the Network tab, and then click Connectivity.
3. In the task pane, click Add a trusted certificate.
4. On the Welcome page, read the information, and then click Next.
5. On the Get the certificate page, click I want to use a certificate that is already installed on the server, and then click Next.
6. On the Choose an installed certificate page, click the certificate that you just imported, and then click Next.
Note
If you cannot find the certificate that you just imported in the previous step, check to ensure that the Internet address configured on the Destination Server is exactly the same as the Internet address configured on the Source Server.
7. When the wizard finishes, click Finish.
To export a trusted certificate from the Source Server
1. On the Source Server, click Start, click Run, type mmc.exe, and then press ENTER.
2. On the console, click File, and then click Add/Remove Snap-in.
3. Click Add, choose Certificates from the list, click Add, and then click OK.
4. In the pop-up window that appears, click Computer Account, click Finish, and then click OK.
5. Expand Certificates, expand Personal, and then click Certificates.
6. Right-click the certificate that is issued to your website (for example: remote.contoso.com), click All Tasks, and then click Export.
Note
There may be multiple certificates with the same name. Ensure that you choose a certificate that has a valid expiration date and that was issued by a trusted authority. If you are not sure which certificate to use, open Internet Information Services (IIS), determine which certificate IIS is using on the Source Server, and then choose the same certificate.
7. In the Certificate Export Wizard, click Next.
8. Ensure Yes, export the private key is selected, and then click Next.
9. Ensure Include all certificates in the certificate path if possible and Export all extended properties are selected, and then click Next. Do not select Delete the private key if the export is successful.
10. Type a password to protect the certificate file, and then click Next.
11. Choose a location to save the .pfx file (for example, C:\trustedcert.pfx), and then click Next.
12. Finish the wizard.
To import the trusted certificate to the Destination Server
1. Move the trustedcert.pfx file to the Destination Server by using the network or a USB flash drive.
2. On the Destination Server, click Start, type mmc.exe, and then press ENTER.
3. On the console, click File, and then click Add/Remove Snap-in.
4. Choose Certificates from the list, and then click Add.
5. In the pop-up window that appears, select Computer Account, click Finish, and then click OK.
6. Expand Certificates, expand Personal, and then click Certificates.
7. Right-click Certificates, click All Tasks, and then click Import.
8. On the Certificate Import Wizard Welcome page, click Next.
9. Browse to the location of the saved .pfx file, and then click Next.
10. Type the password that you typed in the Export procedure, ensure that Mark this key as exportable and Include all extended properties are selected, and then click Next.
11. Ensure that the certificate is imported to the Personal folder, and then click Next.
12. Finish the wizard.
To ensure that the Destination Server is using the newly imported certificate, run the Add a Trusted Certificate Wizard:
To run the Add a Trusted Certificate Wizard
1. Open the Windows SBS 2011 Standard Console.
2. On the navigation bar, click the Network tab, and then click Connectivity.
3. In the task pane, click Add a trusted certificate.
4. On the Welcome page, read the information, and then click Next.
5. On the Get the certificate page, click I want to use a certificate that is already installed on the server, and then click Next.
6. On the Choose an installed certificate page, click the certificate that you just imported, and then click Next.
Note
If you cannot find the certificate that you just imported in the previous step, check to ensure that the Internet address configured on the Destination Server is exactly the same as the Internet address configured on the Source Server.
7. When the wizard finishes, click Finish.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I left the name with remote but our certificate is in the mail.domain.com format. Update the Internet name and it accepted it.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
For example your certificate is for mail.example.com and the name in the wizard has been set to remote.example.com.
SBS will only show you certificates that match the name configured in its Internet name wizards.
Simon.