Manually creating a Certificate Request Windows Server 2012 Essentials (Essentials R2 & SBS 2011)
February 6, 2013 11 Comments
Following on from my recent post about SSL issues, another topic of conversation is the actual SSL installation process for the RWA.
Again i have blogged on that before, and the new Essentials 2012 wizard makes the process a lot lot easier. However if you get stuck with generating a CSR (Certificate Signing Request) then you can always use IIS to do this for you.
Loading up IIS we can find Server Certificates.
On the right hand side you have the option to Create a Certificate Request, and inside here we have a form to fill out our details. The common name field is the name we will use to address our site over the internet.
On the next page set the key length to 2048, and then click next to save the file.
I will then paste the content of my CSR file into the website of my Certificate Authority (your CA may vary)
Once the CA has carried out it’s verification checks they will issue your certificate.
In some cases this will be text inside an email, it may be in the form of a file you download, or a collection of files that are emailed to you.
In this particular case i received a zip file.
Inside the zip file you can see i have a txt file with instructions and a CER file, which is the CAs response file, to my CSR. I need to use this file in IIS to complete the Certificate installation process.
I have also seen this response file be named CRT, but what is important to know is that the file extension is not that relevant, the contents of the file is what is important, and these files can be read with any text editor like Notepad.
As i said this could just be text in an email, which you can save into a file with a .cer or .txt extension.
So we get this file over to our Server, and we can chose to ‘Complete Certificate Request’, you will then need to point to the file that they sent you and enter a friendly name.
The friendly name is just an identifier used within IIS or the Certificates MMC to help identify a particular cert. The friendly name can be anything you like.
Once the install has completed you will see your certificate listed.
You can then right click on this and choose Export, and enter a path and password to export your certificate out to a PFX file.
It is this PFX file we can then use to install our Certificate with the Essentials wizard.
On SBS 2011 Essentials, using your own pre-existing Certificate presented a challenge, and required a special installation process.
On 2012 Essentials the wizard is actually redesigned and you can very easily use your own existing Certificates.
This flow chart, should help guide you through to the right place in the wizard. (Click to enlarge)
The process to export out a certificate to a PFX file, and import it using the Anywhere Access wizard, can also be used when you need to renew your certificate, or if you have problems with the Remote Desktop Gateway Service using an incorrect SSL Certificate.
It will also work on Essentials 2012 R2.
About Robert Pearman
Title (Required) 
An outstanding share! I’ve just forwarded this onto a co-worker who has been doing a little research on this. And he actually ordered me breakfast because I stumbled upon it for him… lol. So let me reword this…. Thank YOU for the meal!! But yeah, thanks for spending the time to discuss this matter here on your website.
Thanks for that flowchart. Once I figured out how to start the Anywhere Access wizard, I managed to create a new request and install the certificate. I think the confusing thing is that you ask for a NEW certificate as opposed to SBS 08’s “I want to renew my current trusted certficate with the same provider.” I documented these details for 2012 Essentials:
Start the Essentials dashboard. In the upper right corner, click on Settings. In the Settings dialog, in the left column, click on Anywhere Access. Under Domain name, click “Set up” to start the wizard.
Getting Started: (No settings)
Configure your domain name: Import a new trusted SSL certificate
Set up a trusted SSL certificate: “remote” is already there. Choose I want to purchase a trusted SSL certificate for the domain name.
Generate a certificate request: Copy
[get the cert from your provider]
A trusted SSL certificate reqeust is in progress…: I have the trusted SSL certificate information from my certificate provider
Import the trusted certificate: Copy and paste…
Repair as suggested in last pane
It’s not clear to me if this is creating a new private key or reusing the old one. I guess it doesn’t matter. Regardless, export to PFX as you describe above. Also, I delete the previous year’s certificate while in Certificate Manager. At least with SBS 08, if you didn’t do that, it would keep putting warnings in the event log.
Reblogged this on Title (Required).
Hi, newbie here. This is our first server (and mine) that we are setting up. It is with Server Essentials 2012. We are a non-profit. Our hosting company provides one free SSL Cert per year, normally $15, and they say there is no PFX or any other file from them. I have been struggling to make this work for Remote Web Access wizard.
Will this type of cert ever work for this? Or do I need to buy the more expensive one from GoDaddy?
If we do get this more expensive cert and it works, will I be able to do Remote Control of my desktop? How many people will be able to do this?
We currently do pay some for remote control like GoToMy… and Logmein. If the remote web access in server essentials 2012 will do this I can probably sell them on buying the more expensive SSL Cert and cancelling.the other
Alan
remote web access, the domain, is provided by Microsoft.
Microsoft also provide a free SSL certificate for the sub domain of your choice.
You need to run the Anywhere Access wizard, and choose to create a new domain name, then choose the option of getting one from Microsoft. The wizard will do the rest.
Interesting–I wasn’t aware of the free “subdomain” option from Microsoft. To clarify, if you go that route, you will log in to the server (and through the server to the desktops) as “[myorgname].remotewebaccess.com”. See “Understand Microsoft personalized domain names” here:
http://technet.microsoft.com/en-us/library/jj628152.aspx#BKMK_PersonalizedNames
This wouldn’t affect your public web site, just logging in to 2012E. That is arguably the simplest route. If for some reason you must use “remote.[myorgname].com”, it can be done but requires more advanced DNS and server configuration, part of which Robert explains in the post above.
That is part of the problem. We already have an existing domain name that we want to keep. And also plan to leave it hosted where it’s at (DreamHost) since we get that free being a non-profit.
With Microsoft are you saying that we can get free hosting and a free SSL Cert? If not, I’m think of using the cert we have and going through your procedure listed above. This cert is available as text in three parts; “Certificate”, “Private Key”, and “Intermediate Certificate”. Would I use the Certificate or the Intermediate Certificate?
If your certificate is already installed into IIS on another server, you can export it with the private key, to create a PFX file.
If it is not, or is on another system like Apache, the best way to transfer would be to get your CA to reissue, against a new CSR generated by the Essentials Server.
Birdman: with the Microsoft approach, you can keep your existing domain hosted at Dreamhost for your public-facing web site, and use [myorgname].remotewebaccess.com for private access to your server. They are different domains so they will not conflict. Only your employees need to know about the [myorgname].remotewebaccess.com domain.
As a follow up, can I paste this text from this cert into a text file, name it with a .cer extension, and then start your above procedure at the point where it says-
>”So we get this file over to our Server, and we can chose to ‘Complete Certificate Request’, you >will then need to point to the file that they sent you and enter a friendly name.”,
?
Great article. I spent ages trying to export a cert from mmc as a pfx and was unable to as it said the private key was not available. Follwed the export instructions above from IIS and worked perfectly! Thanks!