Renew your SSL Certificate : SBS 2011 Essentials
June 20, 2012 10 Comments
I going through the renewal process, so i thought it might be an idea to document and blog it in case anyone else is also doing this.
SSL Certificates and renewals, are one of the topics i am asked about most frequently. They do seem to cause a lot of concern and, because the task is carried out rarely, people do seem to get rusty.
- First thing to remember, is that it really is not a difficult process.
- Second, it is easy to fix any mistakes you make, so don’t worry about it.
- Third, the only thing you need to remember, is don’t make a mistake when you spell the Common Name (CN) as that can be difficult to fix.
The first thing that i did was receive an email from my SSL provider, telling me my certificate was due for renewal. I ignored this, and then received another today telling me it had been auto-renewed and thanks very much for the $20.00 i just spent. (imagine me making a Muttley type noise here)
To go ahead and renew your SSL we need to first produce a CSR request file, and submit it to our CA.
CSR = Certificate Signing Request (a text file)
CA = Certificate Authority (Verisign, GoDaddy, RapidSSL)
We can create the CSR on any server, but with the introduction of IIS7 it became a lot easier to do the process on the same server that already holds your certificate. In IIS6 we would generally create a dummy website to do the CSR request and install process.
On our SBS Server, open up IIS Manager.
Select your Server Name, and then find Server Certificates.
Inside Server Certificates you will see all of the currently installed certificates you have.
In the top right you can click to Create Certificate Request.
Fill out the information requested, taking care to get the Common Name correct.
On the next page change the Bit Length to 2048.
Then browse to a path on the server to save your request file.
When you have saved your Request file, you are returned back to the IIS Manager.
The content of your CSR will look similar to this.
Next we need to submit our CSR to the CA.
The process will vary from CA to CA, however i am using Enom which is where i purchased my certificate.
Copy and paste the content of your CSR EXACTLY as is, some CA’s may simply allow you to browse for the file and read it in for you.
When you submit the file, you should be prompted to confirm the Common Name and any other details.
An email or other authentication method is also used to verify ownership of the domain in question. You often do not have a choice over the email address which will be chosen.
When you receive the email, you have the choice to approve or reject the request.
Other methods exist for verification, when i purchased a certificate from GeoTrust once i have a phone call that recorded my voice, with some CA’s i have had to create DNS records or add HTML files to a website.
All of these steps go some way to prove you are indeed in control over the domain you want to secure with SSL.
After you have passed verification you will be sent further instructions from your CA about how to retrieve your certificate.
At this point the file, or key, the CA sends you is only one half of the certificate, and you need to complete the process in IIS to actually create the certificate before it can be used.
In my case i am sent an email containing the response text which i copy and paste into Notepad, and save.
Switching back to IIS, i can chose to Complete Certificate Request.
I can browse to my file, and select it, and enter a friendly name so i can find it easily in the list of other certificates.
Your certificate should then be installed into IIS. Now we can assign it to our website.
Expand sites, and expand Default Web Site.
Select the Default Web Site, and on the right hand side, chose Bindings.
In Bindings, select the listed item with the port number of 443, then click Edit. You can click View, to see the current certificate, or use the drop down menu to find another certificate.
You should see your ‘friendly name’ listed, select it. You can then chose to View the certificate if you want, or just click ok to bind it to the website.
You can then switch to an external client and verify the new SSL shows when you connect.
If you are using Microsoft’s free ‘remotewebaccess.com’ domain you will not need to renew your certificate as this comes with a free 5 year certificate from GoDaddy.