| One drawback to using the SSL certificate provided by the SBS setup wizards is that the certificate is not trusted by default for any web browser. In most cases, this results in a small annoyance when the web browser notifies the user that the certificate is not from a trusted authority each time the website is accessed. In other cases, it can prevent the user from accessing secure portions of the site altogether (see Chapter 17, "Integrating the Macintosh into a Small Business Server 2003 Environment," and the discussion of Internet Explorer 5 for the Macintosh). Most of the time, installing the SBS certificate into the workstation's certificate store as a trusted certificate can eliminate this behavior, but there are instances where this may not be practical or even possible. It is possible to purchase and install a third-party SSL certificate in IIS to avoid all the issues related to the self-signed certificate SBS creates. There are a number of providers, and the cost can range from under $100 to several thousand dollars, depending on the type of certificate purchased. But before you can install a third-party certificate, you must generate a request file for the certificate. The following steps outline a process for generating a certificate request file and installing the certificate on the server: 1. | Open the IIS Management Console.
| 2. | Expand the server icon, expand Web Sites, right-click on the Default Web Site icon, and select Properties.
| 3. | Click on the Directory Security tab; then click Server Certificate.
| 4. | In the first page of the Web Server Certificate Wizard, click Next.
| 5. | Select the Remove the Current Certificate radio button; then click Next.
| 6. | In the Remove a Certificate page, you see the details for the self-signed certificate. Click Next.
| 7. | Click Finish to close the wizard. You have now removed the existing self-signed certificate from the Default Web Site.
| 8. | In the Directory Security tab, you will see that the View Certificate button is now grayed out. Click Server Certificate.
| 9. | In the first page of the Web Server Certificate Wizard, click Next.
| 10. | Select the Create a New Certificate radio button and click Next.
| 11. | In the Delayed or Immediate Request page of the wizard, the Prepare the Request Now, But Send It Later radio button should be selected. Click Next.
| 12. | In the Name and Security Settings page of the wizard, enter a name for the certificate, as shown in Figure 6.13, and click Next.
Figure 6.13. The Name and Security Settings page sets the name of the certificate and the size of the encryption key. 
| 13. | In the Organization Information page, as shown in Figure 6.14, enter or modify the Organization field, enter a name for the Organizational unit, and then click Next.
Figure 6.14. An organization and organizational unit name must be entered in the Organization Information page. 
| 14. | In the Your Site's Common Name page, enter the public Internet name of the server, as shown in Figure 6.15. This should be the same name that was used to create the self-signed certificate. Click Next.
Figure 6.15. The public Internet name of the server must be entered into the Common Name field. 
| 15. | In the Geographical Information page, select the correct geographical information and click Next.
| 16. | In the Certificate Request File Name page, enter the name of the file for the certificate request. The default filename is c:\certreq.txt. Click Next.
| 17. | In the Request File Summary page, verify that the information listed is correct. If the information is incorrect, click Back to go back to the appropriate section of the wizard to correct the information. Otherwise, click Next.
| 18. | Click Finish to close the wizard.
| 19. | Submit the contents of the certificate request file to the vendor you have selected to generate the SSL certificate. This process differs depending on which vendor is selected.
| 20. | After you receive the certificate file back from the vendor, save the certificate file to disk and run the Connect to the Internet Wizard on the SBS server.
| 21. | In the Connection Type page, click the Do Not Change Connection Type radio button and click Next.
| 22. | In the Firewall page, click the Do Not Change Firewall Configuration radio button and click Next.
| 23. | In the Web Server Certificate page, click the Use a Web Server Certificate from a Trusted Authority radio button.
| 24. | Click Browse to locate the certificate file on disk; then click Next.
| 25. | In the Internet E-mail page, click the Do Not Change Internet E-mail Configuration radio button and click Next.
| 26. | Click Finish to complete the wizard; then click Close when the configuration has completed.
|
The downside to this process is that while you are waiting for the certificate to get issued by the vendor, your Default Web Site will not have SSL protection, so it will not respond to any SSL requests. This means that services including OWA, Remote Web Workplace, and any other services that require SSL will not be available to the users on the server. If you are not sure how long your vendor will take to generate and deliver the certificate to you, you may want to consider this alternative method to generate and install a third-party certificate. This method involves creating a new site in the IIS configuration and using that site to create the certificate request and install the resulting certificate: 1. | Open the IIS Management Console.
| 2. | Expand the server icon; then right-click on the Web Sites icon and select New, Web Site.
| 3. | In the first page of the Web Site Creation Wizard, click Next.
| 4. | In the Web Site Description page, enter a name for the website, such as SSL Request, and click Next.
| 5. | In the IP Address and Port Settings page, enter a unique host header for the site, such as sslrequest, and click Next.
| 6. | In the Web Site Home Directory page, browse to the path for the default website, usually c:\inetpub\wwwroot; then click Next.
| 7. | In the Web Site Access Permissions page, click Next.
| 8. | Click Finish to close the wizard and create the site.
| 9. | Right-click on the new site and select Properties.
| 10. | Click on the Directory Security tab; then click Server Certificate.
| 11. | In the first page of the Web Server Certificate Wizard, click Next.
| 12. | In the Server Certificate page of the wizard, click the Create a New Certificate radio button; then click Next.
| 13. | In the Delayed or Immediate Request page of the wizard, the Prepare the Request Now, But Send It Later radio button should be selected. Click Next.
| 14. | In the Name and Security Settings page of the wizard, enter a name for the certificate and click Next.
| 15. | In the Organization Information page, enter or modify the Organization field, enter a name for the Organizational Unit, and then click Next.
| 16. | In the Your Site's Common Name page, enter the public Internet name of the server. This should be the same name that was used to create the self-signed certificate. Click Next.
| 17. | In the Geographical Information page, select the correct geographical information and click Next.
| 18. | In the Certificate Request File Name page, enter the name of the file for the certificate request. The default filename is c:\certreq.txt. Click Next.
| 19. | In the Request File Summary page, verify that the information listed is correct. If the information is incorrect, click Back to go back to the appropriate section of the wizard to correct the information. Otherwise, click Next.
| 20. | Click Finish to close the wizard.
| 21. | Submit the contents of the certificate request file to the vendor you have selected to generate the SSL certificate.
| 22. | After you receive the certificate file back from the vendor, save the certificate file to disk.
| 23. | Open the properties page for the SSL Request website in the IIS Management Console, select the Directory Security tab, and then click the Server Certificate button.
| 24. | In the first page of the Web Server Certificate Wizard, click Next.
| 25. | The Pending Certificate Request page should appear, and the Process the Pending Request and Install the Certificate radio button should be selected. Click Next.
| 26. | Browse to the location where the certificate file is located and click Next.
| 27. | Click Finish to complete the wizard.
| 28. | Right-click on the Default Web Site and select Properties.
| 29. | Click on the Directory Security tab and click Server Certificate.
| 30. | In the first page of the Web Server Certificate wizard, click Next.
| 31. | Click the Replace the Current Certificate radio button and click Next.
| 32. | In the Available Certificates page, shown in Figure 6.16, select the certificate that has been signed by the third-party vendor and click Next.
Figure 6.16. The Available Certificates page shows all available installed certificates, including previous versions of the self-signed certificate. 
Note If you have run the Connect to the Internet Wizard multiple times to re-create the self-signed SBS certificate, you may see more than one certificate listed. The self-signed certificates will have the same name in the Issued To column as in the Issued By column. The correct certificate to select is the one that has the vendor's name in the Issued By column. | 33. | In the Replace Certificate page, verify that the third-party vendor certificate has been selected; then click Next.
| 34. | Click Finish to complete the wizard.
|
When completing the last steps to install the certificate on the Default Web Site, be aware that any active SSL sessions to the site may get interrupted as the change takes place. For that reason, this last task should be completed during a time when there is little or no SSL traffic on the server. Note These two methods for installing a third-party certificate work for systems not running ISA. For specific instructions on generating and installing third-party certificates with ISA installed on the server, see Chapter 24, "ISA 2004 Advanced."
|
