It seems many Small Business Server 2008 existing third party SSL certificates are expiring and some people are confused about how to renew. Instructions on the internet often involve lengthy solutions involving the IIS management console. The forums show that these methods frequently result in failure to import the certificate or it is not properly bound to the default SBS Web Sites.
SBS makes this process very easy. Once again, use the wizards, use the wizards, use the wizards…
Note: This article addresses SBS 2008 and SBS 2011 Standard. If running SBS 2011 Essentials I recomend reviewing Robert Pearman’s Blog article; Renew your SSL Certificate : SBS 2011 Essentials
I should confirm this article addresses 3rd party SSL certificates, if you are using an SBS self-signed certificate, you simply need to run the “Fix My Network Wizard” to renew.
Open the Windows SBS console and browse to Network | Connectivity | highlight “Certificate” | in the right hand menu select “”Add a trusted certificate”
Choose “I want to renew my current trusted certificate with the same provider”
Allow the encrypted certificate request to be generated and click copy. You could go from here directly the the vendor from whom you are going to purchase and renew the certificate, but there are often delays with process so I recommend pasting to Notepad to retain the text file for a few minutes. Alternatively you can click the “save to file” button and accomplish the same thing.
If you think the provider will supply the certificate immediately you can leave this window open and wait, but most often you are best to put the process in “suspend mode” by selecting “My certificate provider needs more time to process the request”
….and complete the wizard.
Next, log onto your certificate provider’s webs site, purchase the certificate renewal, create the certificate by copying and pasting the saved contents of Notepad (the encrypted CSR text) when prompted, wait for your certificate approval (usually sent by e-mail), download the certificate, and save to a location of your choice on the server.
Now you can import the certificate. Once again open the Windows SBS console and browse to Network | Connectivity | highlight “Certificate” | in the right hand menu select “”Add a trusted certificate”. This time choose “I have a certificate from my certificate provider”.
Browse to the location where you saved the certificate.
….and complete the wizard.
You can confirm your certificate has been imported / updated by choosing “View certificate properties” from the same Windows SBS console window, and reviewing the expiry date.
Comments on: "SBS 2008/2011 Renew 3rd party Certificate" (15)
My brother suggested I may like this blog. This post actually made my day. You can not consider just how so much time
I had spent for this info! Thank you!
Outstanding! Thank you for posting this – just saved me a lot of time.
Superb, what a web site it is! This blog provides useful data to us, keep it up.
There’s certainly a lot to know about this issue.
I love all the points you made.
I’ve been surfing online more than 2 hours today, yet I never found any article like yours. It is pretty worth enough
for me. In my opinion, if all web owners and bloggers made good content as you did, the net will be much more useful than
Excellent write up and thanks for hammering the “use the wizards” approach. Thank You!
Heya i am for the first time here. I found this board and I to find It really helpful & it helped me out a lot.
Very good site you have here!
You are wonderful! Thanks!
Thanks for an informative website.
Muy bueno, Excellent article, well written and to the point. We need more articles like this one.
Can’t believe how much I hated this process. This is the last time I need to do it and I find your blog about a wizard! Brilliant, so easy thanks.
How does this process work for going from a GoDaddy SHA1 certificate to a SHA2 as it relates to SBS 2011?
Assuming your server has all relatively recent updates it will request an SHA-2 and GoDaddy will issue an SHA-2 certificate. The process is the same. Use the new CSR. If it is already filled in on the GoDaddy site just replace with the new text. Once done you can verify it is an SHA-2 by visiting https://shachecker.com/ or https://shaaaaaaaaaaaaa.com/ My understanding; if you look at the certificate details you want to see the signature algorithm as sha256RSA but the thumbprint algorithm always shows SHA1. (Note: Chrome itself may incorrectly report it is SHA-1 see: https://sslmate.com/blog/post/chrome_cached_sha1_chains )