Renewing a self-signed certificate in SBS 2003

Renewing a self-signed certificate in SBS 2003

Five years ago, I was a relatively early adopter of Microsoft Small Business Server (SBS) 2003. One of the servers I set up back then is still going strong today. However, the self-signed certificate that the server uses for SSL transactions was set to expire five years after creation, and we just reached that mark.

The easiest way to change the expiration date for your server’s SSL certificate is to re-run the CEICW. When you get to the page asking about the web certificate, create a new one:

CEICW page

Obviously what you put in the “Web server name” box should match what you had there before – the external hostname of your server. SBS will generate a new certificate, whose expiration date will be five years in the future.

Because third-party SSL certificates from GoDaddy and others are so inexpensive these days, there is little reason to continue using self-signed certificates in SBS. However, if you want to stick with a self-signed cert for more than five years, now you know how.

Share
Posted in All, SBS, Software, Technology on Jan 26th, 2009, 4:02 pm by David Schrag   

4 Responses

  1. September 3rd, 2010 | 5:18 pm

    Thanks! This helped me on my way to a solution, but since we also have a 3rd party certificate, and multiple FQDNs (without SSL), I needed to do a little more – details below.

    The CEICW on SBS 2003 Premium SP1 (with ISA 2004) makes two certificates, ISAcert and SBScert. ISACert is for the external FQDN, and external HTTPS connections use it. ISA then decrypts the request and re-encrypts it with SBScert to send it to the internal IIS web site, publishing.*.{lan|local}.

    If you use a 3rd party SSL certificate for your external FQDN, you probably still use tunnelling using the internal SBScert. If the internal SBScert expires before the external 3rd party certificate, clients get an odd 500 server error (see http://support.microsoft.com/kb/823074). Unlike a normal certificate error (e.g. for a self-signed or expired cert), clients can’t ignore the error to continue to the site => bad news!

    Re-running CEICW as stated above will correctly update both SBScert and ISAcert, but will leave ISA using the self-signed cert for external connections, rather than the paid-for 3rd party cert. In ISA, go to Firewall Policy, then in rightmost pane choose Toolbox, expand Web Listeners, double-click SBS Web Listener, on Preferences tab choose SSL Select… button, re-select your 3rd party certificate, and Apply.

    If you also have other FQDNs (without SSL), the CEICW may/will have lost them. You need to add them back as Public Names in ISA’s Default SBS Publishing Rule.

  2. John Clegg
    April 6th, 2012 | 2:19 pm

    You are a prince among gurus and saved me hours of sweat on a bank holiday.

    Many thanks! Now why the hell wasn’t this findable in some Microsoft help files?

  3. John P
    October 29th, 2012 | 11:29 am

    Very straight-forward and helpful info. Thanks!

  4. Les H
    January 29th, 2013 | 6:23 am

    Perfect. Thanks. It seemed to add forwarders on my DNS which I removed.

Leave a reply