Multiple Certificates On SBS

Discussion in 'Windows Small Business Server' started by HotSizzauce, Mar 2, 2006.

  1. HotSizzauce

    HotSizzauce Guest

    Hello,

    Is it possible to have more than one self created cert on one server? We are
    running 2 separate sites that are accessable only by our employees and it
    seems a waste to use a trusted authority to issue the cert for this function
    but i can only seem to have one self made cert at a time. (one over writes
    the other when you run the wizard)

    Thanks all!
     
    HotSizzauce, Mar 2, 2006
    #1
    1. Advertisements

  2. Hi,

    Thanks for using the SBS newsgroup.

    From your description, I understand that you want to know if you can create
    two private certificates for two different sites in SBS 2003 environment.
    If I am off base, please don’t hesitate to let me know.

    Yes, we can. When we run CEICW (server Management console -> Configuration
    E-mail and Internet connection wizard -> connect to the internet), there is
    1 certificate created that is located in default website. If you want to
    create an additional certificate yourself for using on a different site,
    you can run CEICW to create cert named CertA, then export the cert. Next,
    run CEICW to create cert name CertB, next, import the cert CertA to
    anywhere you want. After CEICW created the cert, it is located in default
    website and you can then export the certificate in the ''Directory
    Security'' tab, ''Server Certificate'' and ''Export the current certificate
    to a .pfx file''. Then, you can import the certificate to desired Websites
    by following the steps outlined in the following KB Q816794.

    HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003
    http://support.microsoft.com/?id=816794

    However, please note that if you are using ISA to web publishing out your
    websites, only 1 certificate can be bound to 1 ISA Incoming Listener,
    that''s to say, if you only have external interface which the Incoming
    Listener is listening on, you only can use 1 certificate for all of your
    web published sites.

    The sub-directories under the same IIS WebSite will use the same
    certificate. For example, OWA and RWW will use the same certificate and
    there''s no way to configure them to use different certificates since
    they''re both under ''Default Website''.

    Hope above information helps! I am happy to be of assistance to you and
    look forward to your reply.

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Jenny wu [MSFT], Mar 3, 2006
    #2
    1. Advertisements

  3. HotSizzauce

    HotSizzauce Guest

    Hello Jenny and thank you for the info!

    I tried to follow your instructions but I was derailed. Here's what happens:

    This is how it's setup before I run CEICW:

    1. The default website/directory security/view cert in IIS shows a cert
    installed by the name of publishing.domain.local (self created)

    2. When you access the RWW web page and click on the golden lock in the
    bottom right hand side of the browser window shows the cert being used as
    "mail.company.com" (pur purchased cert)

    Then I tried to create a new cert by the name of Intra.company.com. (that
    worked)
    I assigned it to the appropriate site but then I could not get the original
    (purchased) cert back as the "default" cert used by the server. It caused all
    the people that use pocket PC's for email to stop functioning.

    Also, can you make SBS stop sending email to every user every time the
    wizard is run?

    Lastly, if you could recommend a good document that will set me straight on
    all this CERT talk I would greatly appreciate it!



    I don't see anywhere in IIS where that cert is installed. Is there another
    place to install a cert for use by ISA?





     
    HotSizzauce, Mar 6, 2006
    #3
  4. HotSizzauce

    Eriq Neale Guest

    Comments inline...

    This is correct when ISA is installed. The CEICW creates two certs when
    ISA is installed. publishing.domain.local gets installed in the IIS
    config, and the public-facing cert is installed in ISA. This is because
    ISA uses the public cert to decrypt incoming traffic for the public web
    name, then re-encrypts the traffic using the internal cert and passes
    the traffic along to IIS, whcih uses the internal cert to decrypt the
    incoming traffic, etc., etc., etc.
    Again, this is what you should see. The public cert held by ISA is what
    is presented to the remote client, so as far as the remote client
    knows, it's only talking to mail.company.com, not
    publishing.domain.local.
    What you actually needed to do here was put the new cert in the ISA
    config, ideally throgh the CEICW, so that the public facing cert is
    presented to the remote clients. You actually broke a couple of things
    by doing this. First, no remote machine is going to see the
    intra.company.com cert because you only enabled it in IIS, and second
    ISA is not going to be able to send the encrypted HTTPS traffic
    correctly to IIS because ISA is encrypting the data using the
    publishing.domain.local cert, which is no longer in the IIS config.

    At this point, wiht the new cert in hand, you should be able to rerun
    the CEICW, tell it which cert to use as the public cert, and the wizard
    should take care of putting the righ pieces in the right places.
    Which wizard and what e-mail?

    HTH...

    -Eriq
    --
    Eriq Neale - SBS MVP, Small Business Specialist, MCSE, Mac Guru
    EON Consulting - www.eonconsulting.net
    Author of Microsoft Small Business Server 2003 Unleashed
    Listen to the eOnCall Radio broadcast at Apostle Internet Radio
    (www.apostleradio.org) or hear past episodes at www.eoncall.com
     
    Eriq Neale, Mar 7, 2006
    #4
  5. Many thanks for Eriq's input!

    Please let me know if you have any unclear about information I or Eriq
    provided. We are glad to help.

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Jenny wu [MSFT], Mar 7, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.