How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003

[Today's post comes to us courtesy of James Frederickson, Damian Leibaschoff, and Justin Crosby]

Today we will discuss one method for installing a public certificate on your SBS 2003 Server.  This post describes how to request and install the certificate into IIS.  A future post will cover scenarios with ISA.  Since there can be some delay with third party certificate authorities issuing your new certificate and you should not run OWA, RWW, etc without SSL, we suggest that you create a temporary web site for the certificate request as demonstrated below.  Since we are using a temporary site we will not be using the CEICW for this process.

Create a temporary site under web sites for your certificate request

  1. Select the Internet Information Service console within the Administrative Tools menu.
  2. Select the Web Sites.
  3. Right mouse-click and select New Web Site.
  4. For the Web Site Description choose the site name you are going to use for your Certificate Signing Request (CSR) i.e. mail.contoso.com
  5. Select a Host Header value for this Web site that does not conflict with existing sites.
  6. Choose a path of C:\Inetpub\wwwroot with read permissions.
  7. Finish

 

Create a Certificate Signing Request (CSR)

  1. Select the Internet Information Service console within the Administrative Tools menu.
  2. Select the new temporary Web site (host) for which the CSR will be requested from.
  3. Right mouse-click and select Properties.
  4. Select the Directory Security tab.
  5. Select the Server Certificate option.
  6. The Welcome to the Web Server Certificate Wizard windows opens.
  7. Select Create a new certificate.
  8. Select Prepare the request now, but send it later.
  9. On the Name and Security Settings page select the CSR name i.e. mail.contoso.com.
  10. Enter your Organization and Organizational Unit names.
  11. Enter your CSR name
  12. Enter your geographical information.
  13. Write down the File name and path to your certreq.txt
  14. Verify on the Request File Summary page everything is correct.
  15. Click Finish.

 

Entering CSR data to request your Certificate

  1. Log into your account from where you are going to purchase your Certificate and Enter the CSR Data to create a Certificate request.
  2. Not all certificate vendors require an intermediate p7b certificate, be sure to check with your vendor before you start this process to be sure.
  3. They will send you an e-mail message that allows you to download the signed certificate and their intermediate certificate bundle. Once your SSL certificate has been signed and issued the “gd_iis_intermediates.p7b” (nor all Certificate vendors require a p7b) and “mail.contoso.com.crt” both of which must be installed on your Server.

 

Installing SSL Certificate and the Intermediate Certificate Bundle (Optional)

Some Certificate Authorities require that you install an Intermediate certificate on your server.  If your CA does not require this please continue onto the next section (Installing the SSL Certificate into IIS).  If your CA does require an Intermediate certificate you must download and install this CA's intermediate certificate bundle (gd_iis_intermediates.p7b) on your Web server before installing your certificate.

Once you have downloaded and saved the certificate bundle, please follow the instructions below to install it:

  1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
  2. In the Management Console, select File; then "Add/Remove Snap In."
  3. In the Add/Remove Snap-In dialog, select Add.
  4. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
  5. Choose Computer Account; then click Next and Finish.
  6. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
  7. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
  8. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import. Follow the wizard prompts to complete the installation procedure.
  9. Click Browse to locate the certificate file (gd_iis_intermediates.p7b).
  10. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
  11. Click Finish.

 

Installing the SSL Certificate into IIS

  1. Select the Internet Information Service console within the Administrative Tools menu.
  2. Select the Web site (host) for which the certificate was made.
  3. Right mouse-click and select Properties.
  4. Select the Directory Security tab.
  5. Select the Server Certificate option.
  6. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.
  7. Select Process the pending request and install the certificate. Click Next.
  8. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).
  9. When the correct certificate file is selected, click Next.
  10. Verify the Certificate Summary to make sure all information is accurate. Click Next.
  11. Select Finish.

 

Transferring the SSL Certificate to the Default Web Site

  1. Select the Internet Information Service console within the Administrative Tools menu.
  2. Select the Default Web site.
  3. Right mouse-click and select Properties.
  4. Select the Directory Security tab.
  5. Select the Server Certificate
  6. Select Replace the current certificate. Click Next.
  7. Choose the new Certificate that was just installed on the Temporary site.
  8. Verify the Certificate Summary to make sure all information is accurate. Click Next.
  9. Select Finish.

 

Verify the Certificate is installed properly

  1. Select the Internet Information Service console within the Administrative Tools menu.
  2. Select the Default Web site.
  3. Right mouse-click and select Properties.
  4. Select the Directory Security tab.
  5. Select the Select the Internet Information Service console within the Administrative Tools menu.
  6. Select the Default Web site.
  7. Right mouse-click and select Properties.
  8. Select the Directory Security tab.
  9. Select the View Certificate be sure that You have a private key that corresponds to this certificate.
  10. Once you have verified that the certificate is installed you can delete the temporary web site created in the first section of this document.

This completes the process.  This process is designed for servers without ISA.  We are working on a follow-up post that will cover moving the certificate from IIS to ISA.