The CEICW on SBS 2003 Premium SP1 (with ISA 2004) makes two certificates, ISAcert and SBScert. ISACert is for the external FQDN, and external HTTPS connections use it. ISA then decrypts the request and re-encrypts it with SBScert to send it to the internal IIS web site, publishing.*.{lan|local}.

If you use a 3rd party SSL certificate for your external FQDN, you probably still use tunnelling using the internal SBScert. If the internal SBScert expires before the external 3rd party certificate, clients get an odd 500 server error (see http://support.microsoft.com/kb/823074). Unlike a normal certificate error (e.g. for a self-signed or expired cert), clients can’t ignore the error to continue to the site => bad news!

Re-running CEICW as stated above will correctly update both SBScert and ISAcert, but will leave ISA using the self-signed cert for external connections, rather than the paid-for 3rd party cert. In ISA, go to Firewall Policy, then in rightmost pane choose Toolbox, expand Web Listeners, double-click SBS Web Listener, on Preferences tab choose SSL Select… button, re-select your 3rd party certificate, and Apply.

If you also have other FQDNs (without SSL), the CEICW may/will have lost them. You need to add them back as Public Names in ISA’s Default SBS Publishing Rule.