How To: SSL Certificates with SBS 2003- with UCC
Posted by Mandeep Singh, Last modified by Mandeep Singh on 09 October 2013 10:06 PM
oDuring a demo of Microsoft Small Business Server 2003 to a client recently, I was demonstrating the Remote Web Workplace (RWW)and Outlook Web Access (OWA) features. These are always a great selling point to anyone who is considering a server solution.
Browsing to https://remote.ourdomain.com/remote – Internet Explorer naturally flashed up a screen to say “The security certificate presented by this web-site was not issued by a trusted certificate authority” – which is, of course, a correct statement when your server is using a self-signed certificate (as my server was). I clicked Continue, as I always do, and was about to demonstrate the excellent features of RWW when the client asked the question
“Why did that error pop-up?”
My usual response is “It’s nothing to worry about” but it did get me thinking. We are always trying to educate users not to click through warnings, especially on web-sites, without questioning why those warnings are there. The fact my own SBS server gives these warnings isn’t a great demonstration of security! So how to avoid this error?
Asking around a few other SMB Consultants on how they would tackle this issue gleaned a variety of answers, none of which were altogether conclusive. So here’s my attempt at explaining how to use SSL certificates with SBS 2003!
What are Trusted Certificates?
First, a crash-course in Trusted Certificates as they are used within SBS 2003. When you visit a secure (https) web-site, your web browser (in this case Internet Explorer) checks the certificate it is presented with by that web-site against a list of Certificate Authorities (CA) it know’s it can trust. Authorities such as Geotrust, Globalsign and Verisign. These are known as “Root Authorities” and are regularly updated by Microsoft.
So when you receive the error “The security certificate presented by this web-site was not issued by a trusted certificate authority” it simply means Internet Explorer cannot verify the certificate it has been presented by the web-site you are visiting as being created by a CA it can trust.
So the simple solution to this problem is – get yourself a Certificate created by a CA that IS trusted by Internet Explorer! Unfortunately, most of the big CA’s charge a small fortune (£100+/year) for such Certificates. For a SMB Consultant rolling out a dozen or more new SBS 2003 solutions per year, that’s going to be a nasty additional cost.
Using GoDaddy for Cheap SSL Certificates
Is there a cheaper alternative? Yes! Get yourself over to www.godaddy.com and buy one of theirTurbo SSL Certificates at $34 (about £17) per year. Use the discount code
Before you begin to create a new SSL certificate from GoDaddy, you need to do two things
When you go through the process of creating your GoDaddy SSL certificate, you’ll be asked to provide a Certificate Signing Request (CSR). This is a chunk of text that tells the SSL provider what to generate within the new Certificate. To create a CSR from your SBS 2003 server:-
Once the CSR is created, you can open the file within Notepad and copy the information to your clipboard – ready to paste into GoDaddy’s Certificate Generation screen.
Download and Install the Certificate
GoDaddy will send you a variety of e-mails including an important one to the Administrative contact of the domain you are using. You’ll need to reply to this e-mail to confirm you are the owner of this domain, to enable the Certifcate request to proceed.
Within a few minutes and a few e-mail responses, you should be able to download your new SSL certificate from GoDaddy’s web-site! Save this to your server.
Now we have the certificate, we will need to apply it to your server:-
Hopefully we’re all done!
Testing the Certificate
Open Internet Explorer and browse to the external address – i.e. https://remote.joebloggs.com/remote and with any luck you shouldn’t get any sort of Internet Explorer Certificate warning, and you’ll be good to go! If you’re an SMB Consultant, next time you demo SBS 2003 to a client you won’t have to gloss over any of those error messages!
One thing to remember is that this Certificate verifies the identity of the server externally. If you accessed the server internally – i.e. https://yourserver/remote – you’d still get a warning message that the Certificate doesn’t match the actual server name.
There is a way around this, using a Certificate option known as “Subject Alternative Naming” (SAN). Using this option you can give your Certificate both an internal and external address to use. The catch? Price – you’ll usually find these types of servers are much more expensive.
If you’re still interested in using SAN - go take a look at the options at Globalsign. The company comes highly recommended – it’s owned by my Cousin Steven and he kindly helped me research the various options!
Another upside of using a 3rd Party Certificate is that if you own a Mobile device with an “always on” Internet connection, you can set it to synchronise with your Exchange Server and also push e-mails from Exchange directly to your device. I’ll document how I set that up next time!
I hope you find the above information useful and it saves you some time drawing together the various snippets of information you’ll find elsewhere on the ‘net. If you’ve got anything to add or any corrections for me, do leave a comment!
Origianl Article: http://www.tubblog.co.uk/blog/2007/07/31/using-ssl-certificates-with-sbs-2003/
Apply UCC certificate on SBS 2003
After Copying the CSR to the SSL provider (Go Daddy), you will have option to add alternate Subject Names to the certificate (If you have bougth UCC-SSL certificate)
Certificate Subnet name:
Wait for SSL approval emails.
Download the certificate