Windows Small Business Server 2011 installation and configuration – Part 5 configuring “Add a trusted certificate”
Go directly to SBS 2011 index file. With links to all articles from this serie.
When you finished part 4 configuring “Configure a Smart Host for internet e-mail” and returned to the SBS Console you now choose “Add a trusted certificate” to start the wizard.
By default the SBS server is installed with a self-signed certificate. We are now going to prepare an installation of a trusted certificate from a service provider. The reason you would install a trusted certificate is you don’t have to install the self-signed certificate on all devices that are used for remote connections, owa, activesync, outlook anywhere, remote web workplace, etc.
The wizard start with given you information what you are going to do.
If you already have a certificate and installed it on this server than choose for “I want to use a certificate that is already installed on the server”. We are going to choose for “I want to buy a certificate from a certificate provider” because we don’t have a certificate yet.
You now have to enter some information, all fields are required. Most fields will be entered already and taken from information supplied earlier. Make sure you enter correct information otherwise you may have to buy a new certificate.
This is the certificate request information. You need this information to buy a certificate from a service provider. So now go to the certificate service provider of your choice and order the certificate.
I would advise to buy a certificate from a well-known provider as, VeriSign, digicert, godaddy, thawte, … Another thing I would advise is to buy a multi name, UCC, SAN certificate so you can add multiple names to the certificate. The default name I would use is the name given in part 3 configuring “Setup your internet address” remote.domainname.extension and beside that you should also put autodiscover.domainname.extension and servername.domainname.local on the certificate. If you have places left for some names you would like to use, think about another name for companyweb or if you use a specific name for the send connector or something else.
So if your certificate service provider is really fast and you have got your certificate than choose “I have a certificate from my provider.” to continue directly. If your provider needs some time, you can choose “My certificate provider needs more time to process the request” If you choose this option the wizard will finish for now. At the time you got the certificate from your provider you just start the wizard again and the wizard will continue here.
Depending how your certificate provider delivers your certificate you have to paste the receive code or select the received file.
Go back to Part 4 configuring “Configure a Smart Host for internet e-mail”
Continue with Part 6 “Move server storage (data) to other partition(s)”
Tags: installation, sbs 2011, sbs console
Will a single domain SSL Cert still work for the remote.domain.com/remote?
What advantage is there to purchasing a UCC SSL cert?
Hi Mark,
you can do with a single domain certificate but you have to do some additional configuration for the autodiscover record. If you buy a UCC certificate and put on at least remote.yourdomain.com, autodiscover.yourdomain.com and servername.sbsdomain.local, every configuration for internal and external access is covered with the certificate.
now has SBS already done some configuration to use remote.yourdomain.com so it is a bit easier to use a single domain certificate, read here http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/ how to configure your autodiscover for a single domain certificate.
I am looking into getting an UCC Certificate for the SBS 2011. Following your advice, I want to have:
1) remote.domainname.extension,
2) owa.domainname.extension (redirected from remote.domainname.extension\owa (easier to remember for everybody)),
3) autodiscover.domainname.extension,
4) servername.domainname.local,
5) servername (is that needed to stop seeing the warnings while in the local network?)
There is also the need for smart phones (WM 6.5, Windows 7 Phone, Android, and iPhone). I am hoping that all the different phones would be able to use a single one of the names listed above. If not, what would I need to add?
Now onto the real question…
How am I able to add all the different names listed above using the wizard? Do I put a space between all of them “remote.domainname.extension owa.domainname.extension autodiscover.domainname.extension servername.domainname.local servername”
If not, then how would I add all the different names for a UCC with the wizard?
Thanks in advance 🙂
SBS 2011 is setup for using only remote.domainname.extension so generating a certificate will generate a request for remote.domainname.extension, nothing more you will not be able to add other names over here.
The other names you add during the request at your certificate provider, with godaddy you have just a filed during the process where you can add the other names you like to use.
Thank you for this tutorial. I am setting up what is supposed to be a workgroup intranet for a small doctors office. There is no need for remote access or a domain account for email. I’m not sure why they purchased the SBS. My question is can we still use the Windows SBS 2011 without the domain configuration explained above?
No installation of SBS 2011 Standard will make the server a domain controller and also install Exchange, Sharepoint, etc. So if you don’t want all these features you may take a look for another product.
You have SBS 2011 Essentials, this will make your server a domain controller, but does not have an on premise installation of exchange and sharepoint, only thing is it has a maximum limit of 25 users.
Another option would be Windows Server 2008 R2 Foundation, this is a version with a maximum user limit of 10 users, beside that you can just run it as a server and is cheaper than the other products. Only thing is this version is only sold as OEM via a hardware vendor.
Great site ,Very useful info.
BM
Hi Ronny,
Excellent resource. Thanks for all your hard work in setting it up.
I’m wanting to migrate from SBS 2003 to SBS 2011 (new hardware) and use my current Thawte certificate which I use on my public website http://www.domain.co.nz on the Login page etc.
I haven’t setup remote access on the current system, but would like to do so on the new server.
The current certifcate is setup for http://www.domain.co.nz only and it doesn’t expire until July 2014, so is there anyway I can setup the system to use this certificate too for RWW, OWA etc. Or would it be easier/cheaper to just generate my own certificate for use for remote access. There will only be 2 client devices connecting remotely, and the use will be fairly limited and infrequent.
Cheers,
Mike.
Hi Mike,
No problem good to hear you like it!
The only way you can use the http://www.domain.co.nz certificate is if the A record points to your SBS server and you use this name during the setup your internet address wizard. As the url say www I think this is the url of your website and probably hosted on an other location, if this is the case you can’t use the certificate.
If there are only 2 client devices I would suggest to use the self signed certificate and install this on the 2 clients this will work fine.
Regards
Ronny
Hi
great site.
If i create the certificate (5 years) i have to remove the .local or servername
this is the reason.
Please note: After November 1, 2015, Starfield will no longer provide SSL certificates without a fully-qualified domain name or IP address, such as ‘mail’, ‘intranet’, or 10.0.0.1.
The certificate you requested expires after November 1, 2015. If you requested this certificate without a fully-qualified domain or IP address for the common name, you will not be able to use it after that date. We recommend that you begin using registered domain names as soon as possible. Click here for more information.
Do i need to create the the server.local etc. manually (self signed) – or i need to run the “fix my network” ?
Thanks
Bruno
Hi Bruno,
Thanks!
With a SBS installation it is not necessary to use the server.local address if you setup the server with the wizards you only need remote.yourdomain.com (or what ever domain name your entered during the setup your internet address wizard). The only thing you may need to do is create a SRV dns record for autodiscover, pleas see this post.
Regards
Ronny
Excellent resource especially for someone new to SBS 2011 like me
I am looking to get a UCC certificate from GoDaddy soon and beside creating a MX record for remote.domainname.extension, I also need to create a A record for owa.domainname.extension and autodiscover.domainname.extension right?
Thanks
Andy
Hi Andy,
indeed these 2 will do fine, there is even a solution to do it with a single name certificate. You need to create a SRV dns record for this. Read this blog post
Hello,
we have a problem at our SBS 2011 with the intern certificate. (Outlook responds wrong certificate). And it’s at the moment not possible to expand the old one. (Error occours -> was a selfsigned).
We got intern an error with Outlook -> autodiscover
We three subdomains: e.g mail.exaplme.com
so i need a san certificate or am i wrong?
best regards
No with SBS you do not need a SAN certificate, you will be fine with a single name certificate, it is recommended to go for a third party public trusted certificate in stead of the self signed certificate.
See this great article about single domain name certificate: http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
Is there further configuration required in exchange 2010 after installing the certificate using the SBS Console. If so please guide me through the process. (I am running Windows SBS 2011 Standard)
Thanks
When you configure SBS through the wizards there is no additional configuration needed within Exchange. Only if you want specific settings, but default email in and out will work fine.
is it possible to have more than one mx record?
we have more than one location.
the first location is already configured with mx record
can i add second mx-record and point it to second location?
As written before, you can have more than one MX record but they have to point to the same exchange organization. otherwise will be send or to the first location or to the second it will not check on which server the mailbox is located.
So with SBS the only time you use a second MX is when you have a BSMTP solution at an external provider.
I’ve migrated a SBS2003 with domainname.local to a SBS2011
This worked btw surprisingly well 🙂
But I have some issues with “Mismatch certificate”.
I have a domain.local (internal domainname)
I have a domain.com
I’ve created a selfsigned certificate with Works (with the IE warning) for the webmail.domain.com but our Navision wont connect secure to our SMTP because of “The remote certificate is invalid according to validation procedure”.
I do Suspect this is because I “Only” have a certificate for the “external domainname”….
But how can I fix this?
It might be that Navision is requiring a publicly trusted third party certificate in stead of a self signed
my sbs server2011 is almost a year old and i need to update the ssl certificate from godaddy.
is it as simple as doing the add a certificate wizard again.
i got message that root certificate will expire in a few weeks.is that the same as ssl certificates?
Yes you can renew the godaddy certificate just by following the wizard.
The internally used self-signed certificated is also expired after one year. This can be updated by running the fix my network wizard from the SBS console.
Hi Ronny,
I appreciate all of your SBS posts! Very helpful when I migrated from SBS 2003 to 2011.
I’m getting a 12014 event ID regarding Exchange certificates. I have a single name third party SSL cert from RapidSSL. My DNS provider allows SRV records and I have one setup for autodiscover. The SRV and third party cert have been in place for a couple years now, however on 12/28/14 I started receiving errors about the STARTTLS SMTP for Receive Connectors.
My third part cert (remote.domain.com) has all four services enabled – IMAP, POP, IIS, SMTP. I have a feeling this is the issue but am unclear if I should remove SMTP and assign to the servername.domainname.lan (FQDN) cert.
Here is the exact error:
Microsoft Exchange could not find a certificate that contains the domain name servername.domainname.lan in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector XXX with a FQDN parameter of servername.domainname.lan. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
The errors are generated for the Receive Connectors that have the servername.domainname.lan FQDN (interestingly enough, only a few of the receive connectors not all).
Would you recommend I remove the SMTP service from the remote.domain.com cert? I’m hesitant to update the FQDN of all the receive connectors to remote.domain.com as I never have had to in the past.
Thanks!
Hi,
The event error you get is, because the Send Connector uses by default the server.domain.local address. This address is not on your publicly trusted certificate. It uses the default self signed certificate configured by SBS at setup. This certificate expires a year after installation, you can renew this certificate by running the fix my network wizard within the sbs console. Another option is to change the name in the send connector. Last option would be ignoring this message, because this is only used if you use TLS authentication for sending email, this is not used by default and all servers you send email to should accept this authentication. So probably you should not have any problem, it is only an annoying error in your event log.
That is exactly what I suspected. However, the initial self-signed cert had already expired last year and I re-ran the fix my network wizard. The self signed cert is still showing as valid, but these errors just started showing up “out of the blue”. It’s odd behavior to say the least. I’d prefer to have the send connectors use the default server.domain.local and not get the errors, but it seems that whatever has triggered this behavior will not go away unless I change the name in the send connector.
My mistake… I was referring to the Receive Connectors and not the Send Connectors.
Let me clarify – the error message I’m getting daily refer to the receive connectors. All of the errors I get reference the FQDN on the receive connectors as server.domain.local. However, on the Windows SBS Internet send connector, the FQDN is listed as remote.domain.com.
My previous godaddy ssl certificate is expiring at the end of month.I have purchased a replacement.do I use the add certificate wizard?to replace certificate
you can just run the certificate wizard again and follow the steps