How to install a 3rd party certificate on SBS 2003 with ISA 2004

By Marina Roos ssl certificate

This article will describe step by step how to install or renew a third party certificate on SBS 2003 with ISA 2004. The Official SBS Blog already published in 2007 an article how to do that on SBS 2003 Standard (The Official SBS Blog : How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003: http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx), so this article will extend that article to the SBS servers that have ISA 2004 installed.

Pages

How to install a 3rd party certificate on SBS 2003 with ISA 2004

The steps are exactly the same for ISA 2004, but we don't transfer the certificate to the Default Web site. The Default Web site with ISA 2004 has the publishing.company.local certificate assigned to it, and that will need to stay that way.

A special note for mobile devices like Nokia E61 (and others for sure, but this device is the one that we could test): some devices really need the Intermediate Certificate Bundle installed, before they will accept the third party certificate. It also happens, that third party vendors are changing their intermediates which will cause errors. So check if your mobile device has the current intermediate certificate installed and if it is up to date. It doesn't hurt however, to always just install the Intermediate Certificate Bundle on the server. Some mobile devices also require that the intermediate certificate is in the .cer format. To obtain that file, follow the steps in this article.

Create a temporary web site in IIS and create the CSR

To be able to request the right certificate from a third party vendor, you will need to create a new web site in IIS with the FQDN you want to use. This web site will be temporary and will be deleted after the certificate has been installed.

From the Administrative Tools open the IIS mmc and expand your server name. Select the Web Sites in the left pane and right click, New, Web Site:
The Web Site Creation Wizard will show and you click Next:
You type the exact FQDN for which you will want the certificate. In this example we are using the FQDN remote.company.com. Be very careful and check the FQDN as this will be used to request the certificate for. Then click Next:
You leave the IP Address and Port Settings alone and type the FQDN for the host header, then click Next:
Browse to the C:\Inetpub\wwwroot folder, leave the checkbox for "Allow anonymous access to this Web site" check marked, and click Next:
Leave the Web Site Access Permissions alone and click Next:
Click Finish at the completed Web Site Creation Wizard:
You will see that the new web site has been added in the Web Sites in IIS. We will now create the request for the certificate. Right click on the remote.company.com Web Site and choose Properties:
Select tab Directory Security, click button Server Certificate:
The Web Server Certificate Wizard appears, click Next:
We will create a new certificate, click Next:
The only choice is to Prepare the request now, but send it later, so click Next:
Type the FQDN for which you want the certificate, leave the other settings alone and click Next:
You will have to type something in both fields and we recommend you type in your business name, then click Next:
At the Common name you will see that your server name is being suggested by the wizard, change this to the FQDN remote.company.com and click Next:
In the Geographical Information you will find that the country has been selected already, but change it if needed. Fill in the state and city where your company is located and click Next:
The file name for the certificate request is suggested and if you agree with that, click Next:
The summary is showing all the information you have entered in the previous screens. Double check this where the field "Issued to" is the most important, as this is going to be the certificate you are requesting. When all is fine, click Next:
Click Finish at the completion of the web server certificate wizard:
Close Properties of the remote.company.com web site.

File the CSR data to request the certificate

The certreq.txt file has the data that is necessary to request the certificate. You log into the web site of your third party certificate vendor, and in our example we are using Go Daddy. In the left pane (Step 1) you fill in the company details that are needed:
The right pane (Step 2) will get the contents of the certreq.txt file. While leaving the web page for a moment, use Windows Explorer to open the certreq.txt file which we had saved in the root of the C partition:
Select all the text with Ctrl+A and when all the text is highlighted press Ctrl+C to copy the text to the clipboard:
Go back to the GoDaddy web page, put the cursor in the blank box for the CSR in the right pane of Step 2 and paste the contents with Ctrl+V. Leave the Microsoft IIS in the drop-down list and check mark the box at the bottom, then click Continue:
Double check the information and click Confirm:
The request has been submitted and you click Done:
You will receive an email that contains a link to download the certificate bundle. The link will give you the page where you can download the certificate and you leave the default choice to IIS and click Continue:
Click on the link to Download Signed Certificate:
Click Save to save the file:
Browse to the location where you want to save the file and if you wish you can rename that certificate bundle. In our example we named it godaddy.zip. Click Save:
When the download is complete, click Open:
Click the Extract all files link at the left:
Click Next in the Extraction Wizard:
Browse to the destination and click Next:
Uncheck the Show extracted files box and click Finish:

Install the Intermediate Certificate Bundle

Before we can install the certificate, we will have to install the Intermediate Certificate Bundle first. This is the gd_iis_intermediates.pb7 file in our example.

We will open a command prompt and start the mmc snap-in with start mmc:
We will add the certificates snap-in in the File menu with Add/Remove Snap-in:
Click the Add button:
Select the Certificates snap-in and click Add:
Select the Computer account and click Next:
Leave the default Local Computer selected and click Finish:
You will return to the Add screen which you Close now:
The Certificates Snap-in has been added, so click OK:
Expand the Certificates, expand the Intermediate Certification Authority and right click Certificates. Choose All Tasks and then Import:
The Import Wizard appears, click Next:
Browse to the location where you have extracted the godaddy zip file and select the gd_iis_intermediates.p7b file, then click Next:
When the import wizard has finished, click Finish:

Click OK:
For certain devices like Nokia mobile phones, it is necessary that those intermediate certificates are being exported to a file format that Nokia understands. Right click the first Go Daddy certificate and from All Tasks, choose Export:
The Export Wizard appears, click Next:
Leave the file format to the default DER and click Next:
Browse to the folder where you want to save the exported certificate. For easy access, the Clientapps\SBScert folder would do nicely and you give the file an easy recognizable name like GoDaddy_Intermediate.cer. Then click Next:
On completion click Next:
Click OK.
Export the other GoDaddy intermediate certificate the same way:

Install the certificate in the temporary web site

Now we can install the certificate in the temporary web site. In IIS right click the remote.company.com web site and choose Properties:
Select tab Directory Security, Server Certificate:
The Web Server Certificate Wizard appears, click Next:
As the request is pending, leave the suggested Process the pending request and click Next:
Browse to the location where you have saved the extracted GoDaddy files and select the remote.company.com certificate, click Next:
Leave the suggested SSL port like it is and click Next:
The Certificate Summary will show the information and click Next to install it:
After the wizard has completed, click Finish:
If you click on the View Certificate button, you will see this:
Click OK and OK to close the properties of the remote.company.com web site.
In the certificates mmc, Personal, Certificates, you should see the Go Daddy certificate as well as the old self signed and the publishing certificate:
You can now close the certificates mmc.

Assign the certificate to the web listeners in ISA 2004

The last thing we will have to do is to assign the new certificate to all the web listeners in ISA 2004. Open ISA mmc, in the Firewall Policy node in the right pane choose the Toolbox. Select Network Object and expand the Web Listeners. Select the SBS Company Web listener and click Edit:
Select tab Preferences and in the SSL part click the Select button:
Select the new certificate and click OK:
Click OK:
Select the SBS Web listener and assign it the new certificate the same way, then click Apply at the top of the ISA 2004 mmc to complete the configuration:
Click OK:
Check from a computer outside your network if the new certificate doesn't give any problems. You should get the /remote or /exchange page without the questioning of the certificate. If you are having mobile phones, check if they can sync properly. If everything is working correct, we can delete the temporary web site in IIS.
Right click the remote.company.com web site and choose Delete:
Click Yes to confirm the deletion: