Wednesday, November 7, 2012

Small Business Server 2008 and free SSL certificates for remote access

Introduction

Whilst looking for a free SSL certificate to do some testing against the self signed cert's that SBS2008 generate I bumped into https://www.startssl.com/ who will give you for free at no cost, a basic domain verified cert that last's for 1 year. This means your users no longer have to click ok, to accept the self signed cert anymore.
The reason I was looking is because the SBS remote access portal showed the following error when users were attempting to RDP to their desktops.
"This computer can't verify the identity of the RD Gateway 'your.domain.name'. it's not safe to connect to servers that can't be identified. Contact your network administrator for assitance."
RDP error
by changing the cert to a verified one from startssl this error is resolved! you will still get another prompt due to the RD gateway still using the self signed cert, you cannot avoid this by applying the public verified cert since the RD gateway will use the netbios hostname which will not match either the public root verified cert nor the selfsigned cert. A public cert will also save your users from the annoyance of this;

SSL certificate error page

Certificate Details




Step by step guide


Generate CSR: IIS 7 Microsoft Windows Server 2008

Follow these instructions to generate a certificate request (CSR).
  1. Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
  2. In the IIS Manager, select the server node on the top left under Connections
  • In the Features pane (the middle pane), double-click the Server Certificates option located under the IIS or Security heading (depending on your current group-by view).
  • From the Actions pane on the top right, select Create Certificate Request. The Distinguished Name Properties dialog box opens.
  • You will be asked for several pieces of info which will be used by GeoTrust to create your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization, country, key bit length, etc. Use the CSR Legend in the right-hand column of this page to guide you when asked for this information. The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
  • THIS IS THE MOST IMPORTANT STEP! Enter your site's Common Name. The Common Name is the fully-qualified-domain name for your web site or mail server. What ever your end-user will see in their browser's address bar is what you should put in here. Do not include http://
  • nor https://. Refer to the CSR legend in the right-hand column of this page for examples. If this is wrong, your certificate will not work properly.
  • Enter your Organization (e.g., My Great Company Ltd) and Organizational Unit (e.g., Sales). Click Next.
  • Enter the rest of the fields using the CSR Legend on the right right-hand column of this page for guidance and examples.
  • Click Next to continue.
  • The next screen of the wizard asks you to choose cryptography options. The default Microsoft RSA SChannel Cryptography Provider is fine and a key bit-length of 2048.
  • Click Next to continue.
  • Finally, specify a file name for the certificate request. It doesn't matter what you call it or where you save it as long as you know where to find it. You'll need it in the next step. We recommend calling it certreq.txt.
  • Click Finish to complete the certificate request (CSR) Wizard.
  • Now, from a simple text editor such as Notepad (do not use Word), open the CSR file you just created at c:\certreq.txt (your path/filename may be different). You will need to copy-and-paste the contents of this file, including the top and bottom lines, into the relevant box during the certificate processing.

     

    Signing up and processing startssl CSR 

    Signup
    1. Firstly browse to http://startssl.com click on sign up and fill in the mandortary details.
    2. You will sent an verification code to the email address you registered with. copy and paste this over and click continue.
    3. They will verify your address etc and send another code, copy and paste this over after opening their link, click continue.
    4. you'll be asked to generate a private key leave it as medium grade, click continue.
    5. you'll be prompted to install the certificate to your browser, click yes (I was using internet explorer). This cert is to log you onto your control panel. you may need to click the install button on their website again.
    6. Now I suggest you export the private key to a secure backed up place, open internet options > content tab > click certificates. highlight cert just installed and click export. Click next, select 'yes, export private key' and click next, tick 'include all certificates in the certificate path if possible' and 'export all extended properties' then click next, type in a password and click next, browse to where you want to save the file name it etc and click next, click finish.
    7. back on the website click continue.
     Validate Domain
    1. you may need to refresh the page to show the control panel wizard tabs, first we need to run through a validation wizard to add a new domain.
    2. From the type field select domain name validation and click continue.
    3. fill out the domain name and click continue.
    4. they will want to verify by email so choose the address that will get through and you can access, I used postmaster@mydomain, click continue.
    5. Check your email copy and paste the verification code back over to the website and click continue and then finish.
     Sign Request
    1. Now you can sign a CSR for that domain. click on the certificates wizard,
    2. change certificate target to 'web server ssl/tls certificate' and click continue, click skip since we will copy and paste the contents of the CSR over and click continue.
    3. click continue again, select the correct domain and click continue.
    4. enter www for the subdomain and click continue and then continue again.
    5. You should normally see a page displaying the signed certificate contents from which you can copy and paste to your server, but on this occassion my request had to be manually checked!

    Import Certificate Windows 2008

    There are some general steps below to import a certificate:
    1. Import the SSL certificate into IIS. Run IIS Manager, select the ServerName (left side Connections).
    2. Under the IIS Features view (middle section), open Server Certificates, import the SSL certificate here (right side actions).
    3. Select the Web site (left side Connections), open Bindings (on the right side Actions) and associate/bind the wildcard cert with the appropriate https,host,port(443).
    4. Remote Desktop Session Host Configuration, If you want to change the certifcate, open properties on 'RDP-Tcp' at the bottom of the 'General' tab click select and choose the certifcate needed, if you want to change back to the self signed cert click default.

    3 comments:

    1. 4 years later this post is still VERYYYYY useful... thanks for sharing (at 2:53 :-)

      ReplyDelete
    2. Your most welcome, all hacker's stay up late, we have to, due to day jobs :-P

      ReplyDelete
    3. Your most welcome, all hacker's stay up late, we have to, due to day jobs :-P

      ReplyDelete