[Note: some links point to SBS 2008 configurations, some to SBS 2011, the procedure is the same for both]
Just a quick comment to address the many internet posts suggesting that SBS requires a multi-name SSL certificate (UCC – Unified Communications Certificate). This is not true. SBS is designed to use a simple, inexpensive, single name certificate, and it is quite easy to install. A basic GoDaddy or other vendor certificate is all that is required. Sean Daniel outlines the process very nicely in his post entitled “Installing a GoDaddy Standard SSL Certificate on SBS 2008 “. Keep in mind the FQDN for your site as recorded in your public DNS records, the certificate name, and public name used in the “Internet Address Wizard” (see step #7), all must be exactly the same. As a mater of fact, although it is possible to use a UCC certificate, the wizard will not install it for you, you would have to do so manually. There is no need for the additional cost or time involved with multi-name certificates. (The link below will take you to the Godaddy site and should have a menu bar at the top offering you a very good first year discount)
The primary argument for using a UCC cert is to make use of auto-discovery. Though you do not need auto-discovery, if you wish to make use of it you still do not need a UCC certificate. You can in fact configure auto-discovery using a single name certificate and creating an SRV DNS record by following the ThirdTier.net instructions; “Setting up Autodiscover for SBS 2011”
Alternatively, you can avoid buying an SSL certificate at all. After running the SBS “Internet Address Management Wizard”, a self-signed certificate is generated in the SBS Share: \\SBSname\Public\Downloads\Certificate Distribution Package . Machines that are joined to the domain after this will have the certificate automatically installed. If you generate a new certificate (by re-running the wizard), or have non-domain joined computers or devices, you need to manually copy and install the certificate. To distribute / install the certificate on the PC’s, please see “How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?” This is often not as easy to do on other devices such as smart phones. Therefore using a 3rd party certificate becomes much more attractive, as nothing has to be installed on the connecting device.
Should you have a dynamic public IP at the SBS site, I recommend reading “Using DDNS services with SBS 2008/2011” which outlines using a dynamic IP, a DDNS service, and configuring DNS and certificates.
Comments on: "SBS 2008 / 2011 adding an SSL certificate" (7)
[…] Once your DDNS service is configured you may want to purchase a 3rd party SSL certificate from a vendor such as http://www.godaddy.com . The certificate eliminates the need of installing the SBS self-signed certificate on remote devices connecting to your server. This will work with a dynamic IP and a DDNS service but as mentioned the name created by the SBS to be used remotely (in our example remote.DomainName.com), the public DNS record, and the SSL certificate must all be the same. For details regarding installing an SSL certificate on SBS 2008/2011 see: https://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/ […]
Clever work! Keeep up the good work guys.I’ve
added you to my own blogroll.
This is a very good tip. Brief but very accurate info… Appreciate your sharing this one.
A must read post!
Well written article. Thanks. I will certainly comeback.
Instead of running “Internet Address Management Wizard”, can I create a certificate service request from IIS and complete the CSR then bind the certificate to the https port
My apologies I missed this question.
The number one rule with SBS and Essentials is “always use the wizards”. The Internet Address Wizard does so much more than just creating a certificate, it is linked to numerous services. It sets up DNS for your public domain name, configures Exchange to manage the domain name, configures the RD Gateway, adds the certificate properly for all services, and much more. It is very important to run it and before doing so the “Connect to the Internet” Wizard.