Trusted Cert Woes on SBS 2008

Discussion in 'Windows Small Business Server' started by Bill Glidden, Sep 30, 2009.

  1. Bill Glidden

    Bill Glidden Guest

    I decided to install a trusted cert from GoDaddy to make access to RWW,
    OWA and Outlook Anywhere more user-friendly. I used:
    http://smbtn.wordpress.com/2009/02/12/installing-a-godaddy-standard-ssl-certificate-on-sbs-2008/
    for my first few attempts (installing the intermediate bundle) and when
    I had issues with this, I eventually used:
    http://blogs.technet.com/sbs/archiv...a-trusted-certificate-wizard-in-sbs-2008.aspx
    I have had several goes at this (using re-keyed certs)always with the
    same results:

    1. The trusted certificate never appears for selection as the preferred
    certificate in the Certificate Wizard(only self-signed certs are
    displayed). In the SBS Console, Network/Connectivity/Web Server
    Certificate is showing the trusted cert from GoDaddy.

    2. When I launch Outlook 2007, I get two Security Alerts from the site
    remote.glidden.net.au. View Certificate shows the name of the trusted
    cert office.glidden.net.au. This happens on PCs that are not using
    Outlook Anywhere as well.

    Otherwise the trusted certificate is functioning: no certificate warning
    nags in RWW, OWA or Company Website.

    A clue to all this is that the name of the trusted cert is different to
    the self-signed one. Also, I run the fix my network wizard it tells me
    that the trusted certificate has expired and removes it if checked.
    I am new to and pretty clueless with certs: this is the first time i
    have tried to install a trusted cert.

    SBS BPA finds no issues.

    Can someone please help me to sort this? Driving me bananas.
     
    Bill Glidden, Sep 30, 2009
    #1
    1. Advertisements

  2. Les Connor [SBS MVP], Sep 30, 2009
    #2
    1. Advertisements

  3. ps, you can change remote.blah.blah to office.blah.blah in the SBS wizard by
    selecting the 'advanced' button. 'remote' is the default prefix.
     
    Les Connor [SBS MVP], Sep 30, 2009
    #3
  4. Bill Glidden

    Bill Glidden Guest

    Hi Les,

    No. I use either remote or office, and want to use office only, but i
    get the same result with either. I know there is no error when I use
    /owa or /remote. I'm only seeing the Outlook security warning.
     
    Bill Glidden, Sep 30, 2009
    #4
  5. Bill Glidden

    Bill Glidden Guest

    I missed that Advanced button... Will go there and do that. Thanks, Les.
     
    Bill Glidden, Sep 30, 2009
    #5
  6. Bill Glidden

    Bill Glidden Guest

    Les, I did that and interestingly, it made one of the Security Alerts go
    away. Still got one. Will multiple office.glidden.net.au GoDaddy certs
    be a problem or is only one of these active?
     
    Bill Glidden, Sep 30, 2009
    #6
  7. Bill Glidden

    Bill Glidden Guest

    Oh, and Les, I can now see and select the Trusted cert in the Wizard. I
    can also see the for GoDaddy certs that I installed during the saga. All
    have type=unknown. AND no more Outlook Security nags.

    Thanks for helping me sort this and pointing me in the general direction
    of SBS Console, Advanced Mode!

    Cheers,
    Bill
     
    Bill Glidden, Sep 30, 2009
    #7
  8. Good stuff, Bill - glad you got it sorted.

    Key is the name in the cert must match the url/site you're accessing. You
    can get a cert for multiple sites but in this instance you only need
    office.<domain.com>
     
    Les Connor [SBS MVP], Sep 30, 2009
    #8

  9. Les, with an Exchange UC/SAN certificate, you can add those names into one
    cert. The one certificate will allow multiple names added into the
    certificate in what's called a subjective alternate names list. Once you've
    purchased, or have your current certs modified or combined into one
    certificate by GoDaddy (Exchange can use a single cert with multiple names
    and they should be able to combine all of them into one for you and pro-rate
    the price), you can use the Exchange PowerShell Commands to add the services
    the cert will be used for.

    Read the following for more info. I also just added a step-by-step in the
    blog, today, to illustrate how to request and import the new cert, as well
    as how to enable the use of the cert for other services, such as IIS, SMTP,
    IMAP, POP, etc. Enabling it for IIS will work for what you want, as long as
    the names that you need, such as rww.domain.com, office.domain.com, or
    whatever else you need, is in the certificate subject alternate names list.
    The manual methods work with SBS 2008, too.

    Exchange 2007 UC/SAN Certificate
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
    Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Sep 30, 2009
    #9

  10. I meant to address my last post to Bill, not Les. Sorry....
     
    Ace Fekay [MCT], Sep 30, 2009
    #10
  11. Good stuff, thanks Ace.

    I'm the guy that's never used a 3rd party cert, ever, with SBS ;-). Always
    used the self signed certs, and always able to make them do. Worst case is
    locked mobile devices, but that's worked around by converting the cert to a
    ..cab file.
     
    Les Connor [SBS MVP], Sep 30, 2009
    #11
  12. no worries, we're all in this together ;-)
     
    Les Connor [SBS MVP], Sep 30, 2009
    #12

  13. Cool, yes we are! :)

    Thanks!
     
    Ace Fekay [MCT], Oct 1, 2009
    #13
  14. For my own Ex2007, I never bought a public cert, but I haven't any cases
    where I would need it. When connecting to OWA, I would just click on the
    trust this cert message. However, I just replaced my BB with an HTC Touch
    Pro 2 I picked up last night. Cool phone. Screen's a hair larger than the
    iPhone, brighter, too! However, it's Windows Mobile. Guess what? Cert issue
    time! So instead of dealing with the cert, I thought let me just get a
    single name cert (non UC/SAN) and see if it works. Since I set this domain
    up back in 1999 when AD first came out, the mindset and consensus was to use
    your public name, so I never changed that. It's only me and a few people
    that use the domain. So I figured, what the heck, a single name cert would
    work internally and externally for mail.mydomain.com, and I have the same
    record created internally. Well, the thing worked fine with the Windows
    mobile. It synched up fine. It also works fine for my OWA site, since you
    can enable that in Exchange to use the cert for other purposes other than
    just internally, such as for IIS, SMTP, IMAP and POP. However, I know I will
    have an issue with Outlook Anywhere due to the Autodiscover record, but I
    don;t use that anyway. If it comes down to it, and I need that function, I
    will dish out the extra $$ for a UC/SAN cert. And here I am using a single
    cert for limited capabilities, but I keep pushing to get a UC/SAN cert to my
    customers. I figured if they ever need the other functionality, I don;t want
    to deal with installing certs on their mobile units, or some of their remote
    employees that hardly come into the office and are using Outlook Anywhere.

    I guess you can call me the landscaper with the tallest lawn on the block!
    :)

    Ace
     
    Ace Fekay [MCT], Oct 1, 2009
    #14
  15. Bill Glidden

    Bill Glidden Guest

    Thanks for all the good info, Ace. :)

    Bill
     
    Bill Glidden, Oct 1, 2009
    #15

  16. You are welcome!

    Ace
     
    Ace Fekay [MCT], Oct 1, 2009
    #16
  17. Bill Glidden

    Bill Glidden Guest

    Thanks for all the good info, Ace. :)

    Bill
     
    Bill Glidden, Oct 1, 2009
    #17
  18. SBS 2k8 deploys the self signed cert onto WM6 automatically. I have an HTC
    diamond touch, no issues at all.
     
    Les Connor [SBS MVP], Oct 2, 2009
    #18

  19. You are welcome!

    Ace
     
    Ace Fekay [MCT], Oct 2, 2009
    #19

  20. That I didn't know. Thanks!

    Ace
     
    Ace Fekay [MCT], Oct 2, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.