Comments on: Renewing a self-signed certificate in SBS 2003 http://davidschrag.com/schlog/407/renewing-a-self-signed-certificate-in-sbs-2003 From the mind of David Schrag Wed, 25 Apr 2012 08:44:28 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: John Clegg http://davidschrag.com/schlog/407/renewing-a-self-signed-certificate-in-sbs-2003/comment-page-1#comment-69089 John Clegg Fri, 06 Apr 2012 18:19:37 +0000 http://davidschrag.com/schlog/407/renewing-a-self-signed-certificate-in-sbs-2003#comment-69089 You are a prince among gurus and saved me hours of sweat on a bank holiday. Many thanks! Now why the hell wasn't this findable in some Microsoft help files? You are a prince among gurus and saved me hours of sweat on a bank holiday.

Many thanks! Now why the hell wasn’t this findable in some Microsoft help files?

]]> By: Steven Kelly http://davidschrag.com/schlog/407/renewing-a-self-signed-certificate-in-sbs-2003/comment-page-1#comment-37735 Steven Kelly Fri, 03 Sep 2010 21:18:06 +0000 http://davidschrag.com/schlog/407/renewing-a-self-signed-certificate-in-sbs-2003#comment-37735 Thanks! This helped me on my way to a solution, but since we also have a 3rd party certificate, and multiple FQDNs (without SSL), I needed to do a little more - details below. The CEICW on SBS 2003 Premium SP1 (with ISA 2004) makes two certificates, ISAcert and SBScert. ISACert is for the external FQDN, and external HTTPS connections use it. ISA then decrypts the request and re-encrypts it with SBScert to send it to the internal IIS web site, publishing.*.{lan|local}. If you use a 3rd party SSL certificate for your external FQDN, you probably still use tunnelling using the internal SBScert. If the internal SBScert expires before the external 3rd party certificate, clients get an odd 500 server error (see http://support.microsoft.com/kb/823074). Unlike a normal certificate error (e.g. for a self-signed or expired cert), clients can't ignore the error to continue to the site => bad news! Re-running CEICW as stated above will correctly update both SBScert and ISAcert, but will leave ISA using the self-signed cert for external connections, rather than the paid-for 3rd party cert. In ISA, go to Firewall Policy, then in rightmost pane choose Toolbox, expand Web Listeners, double-click SBS Web Listener, on Preferences tab choose SSL Select... button, re-select your 3rd party certificate, and Apply. If you also have other FQDNs (without SSL), the CEICW may/will have lost them. You need to add them back as Public Names in ISA's Default SBS Publishing Rule. Thanks! This helped me on my way to a solution, but since we also have a 3rd party certificate, and multiple FQDNs (without SSL), I needed to do a little more – details below.

The CEICW on SBS 2003 Premium SP1 (with ISA 2004) makes two certificates, ISAcert and SBScert. ISACert is for the external FQDN, and external HTTPS connections use it. ISA then decrypts the request and re-encrypts it with SBScert to send it to the internal IIS web site, publishing.*.{lan|local}.

If you use a 3rd party SSL certificate for your external FQDN, you probably still use tunnelling using the internal SBScert. If the internal SBScert expires before the external 3rd party certificate, clients get an odd 500 server error (see http://support.microsoft.com/kb/823074). Unlike a normal certificate error (e.g. for a self-signed or expired cert), clients can’t ignore the error to continue to the site => bad news!

Re-running CEICW as stated above will correctly update both SBScert and ISAcert, but will leave ISA using the self-signed cert for external connections, rather than the paid-for 3rd party cert. In ISA, go to Firewall Policy, then in rightmost pane choose Toolbox, expand Web Listeners, double-click SBS Web Listener, on Preferences tab choose SSL Select… button, re-select your 3rd party certificate, and Apply.

If you also have other FQDNs (without SSL), the CEICW may/will have lost them. You need to add them back as Public Names in ISA’s Default SBS Publishing Rule.

]]>