SSL Certificate Installation on SBS 2008
SSL Certificates on SBS 2008 can be very frustrating. This is due to some design decisions made by Microsoft.
A version of this article originally appeared on our director's blog.
September 2012: This information has changed significantly from the advice that has been given out since early 2007 with the release of Exchange 2007.
This is because the SSL vendors consortium has decided to stop issuing SSL certificates to non FQDNs (eg server), non public host names (eg server.example.local) and to private IP addresses from 2013.
Therefore the names that you need to include are truncated.
The major issue is that Microsoft presumes that your external DNS provider supports SRV records - which many don't. This is to save the SBS owners money, so they can use a single name certificate, but unless you want to change your external DNS provider then you have to use the multiple name method.
SRV records are one of the methods that Outlook 2007 and higher can use for autodiscover. Autodiscover is also connected to the availability service. Therefore that means if you are using Outlook Anywhere, without autodiscover working correctly, the client doesn't work as it should
However, as SBS 2008 is designed to be managed with the wizards and there are a lot of other changes to the Exchange and IIS configuration, doing a standard Exchange 2007 type SSL certificate installation will almost certainly break things and mean they don't work correctly. Therefore you have to work with the wizard so everything goes in place as it should.
Preparation Work
To ensure that you work with the common configuration for SBS 2008, some DNS entries need to be made on the internet facing DNS services (usually your domain name registrar).
Specifically these are
- remote.example.com
- autodiscover.example.com
where example.com is your domain after the @ in your email address and the domain entered in to SBS during setup.
These should point to your public static external IP address. If you cannot use a static IP address, then use a dynamic DNS provider to setup a host. Then create a CNAME for each of the above hosts and point them to then dynamic DNS host name. More Information on using Exchange with a dynamic IP address is here.
While you can use another host name instead of remote.example.com, everything in SBS seems to be orientated towards that name. Using the preferred name will ensure that everything matches, particularly if you are reading other technical articles from Microsoft. As that name will be the common name on the SSL certiifcate, use it for the MX records for the domain, and get the ISP to setup the reverse DNS (aka PTR) record to match.
Certificate Request Generation and Response Installation
To generate the request, follow the main Exchange 2007 multiple SSL certificate guide.
- remote.example.com
- autodiscover.example.com
When you get the response back from your provider, continue to follow guide up to the point about installing the response. DO NOT use the enable-exchangecertificate command.
By using the Exchange Management Shell to do the certificate request you do not put the current self generated certificate at risk, because the request and response doesn't touch it. The certificate is only changed later on in the process. Therefore there is no chance of existing users being interrupted.
Activating the Certificate
Now this is where things are different to Exchange 2007 full product installation.
In the SBS Management Console, start the SSL certificate wizard. Select the option to use an existing certificate. Your new multiple name (UC) certificate with the additional names should be listed. Select it and then complete the wizard. SBS will install the certificate in to the web sites correctly for you.
You should then be able to browse to https ://remote.example.com/remote and use the full feature set.
You can verify the certificate is installed correctly by using the Fix my Network wizard, which shouldn't touch the certificate installation - or by running the SBS Best Practises tool. The link to the current version can be found on the Exchange Resources site at http://exbpa.com/
You can also test it with a test account on the Microsoft test site at https://testexchangeconnectivity.com/