How to Manually Install Certificates in SBS 2008

[Today’s post comes to us courtesy of Mark Stanfill]

The SBS Add a Trusted Certificate wizard may fail to display a certificate that is correctly installed in the certificate store if the subject field of the certificate is missing. This happens because some third-party certificate authorities (CAs) issue certificates with a blank subject. The Subject Alternative Name field is used to designate the fully qualified domain name (FQDN) of the certificate instead. This article documents how to manually install these types of certificates.

The behavior that you will see is that the certificate will be correctly installed in the computer’s personal certificate store, but will not show up in the Add a Trusted Certificate Wizard. In the example screenshots below, the external URL being published is




To use the certificate, you will need to manually assign it to the web site in IIS.  The instructions below assume that the certificate Subject Alternative Name matches the Internet Domain Name on the Network\Connectivity tab of the Windows SBS Console.  If the name does not match, first run the Internet Address Management Wizard (IAMW) by clicking on the Set up your Internet address link in the console.  This will assign a self-signed certificate temporarily, but also makes other important configuration changes.

Use these steps to assign the certificate:

1. Log on to the SBS server as an administrator and launch the Internet Services Manager (IIS Manager) console.

2. Select the SBS SharePoint site and click on Bindings…

3. Select https and click Edit…

4. Select your certificate from the drop-down list under SSL certificate:.  Click View… to verify that the certificate is correct based on the Subject Alternative Name field, issuer, etc.


5. Repeat steps 2-4 for the SBS Web Applications SSL binding on port 443.


6. Obtain the thumbprint of the newly installed certificate by opening an elevated Exchange Management Shell prompt and typing the command Get-ExchangeCertificate.  The newly installed certificate should have no services assigned to it.  Verify the thumbprint value from Exchange Management Shell against the properties of the actual certificate.



7. Copy the certificate thumbprint from step 6 and run the command

Enable-ExchangeCertificate -Thumbprint <THUMBRPINT> -Services "POP, IMAP, IIS, SMTP"

Where <THUMBRPINT> is the actual thumbprint.  When prompted to overwrite the existing services, answer A for all.


8. Verify the Terminal Services Gateway certificate settings.  Launch the TS Gateway Manager from START\All Programs\Administrative Tools\Terminal Services\TS Gateway Manager.  Right-click on the SBS server name and choose Properties.  On the SSL Certificate tab, click on Browse Certificates… and select the appropriate certificate.