Renewing SSL certificates on SBS 2008 can be a daunting task. Most people will think that just renewing the certificate will work but you will quickly find out that GoDaddy will reject it. If you look at the renewal certificate request it will be more than twice the size of a new certificate request. The best option is to create a new certificate request. Here I will list the steps to request the new certificate and commands needed to bind this to the different web sites you have and the Exchange Server.
For this example on how to do this, we will say the server is running the following sites: Default Web Site, MyWebSite2, and MyWebSite3. Exchange is also running on this server and you have users that need to access Exchange via the OWA interface.
To start off we will need to request a new certificate. To do this we will need to open Internet Information Services (IIS) Manager. Now select your IIS Server. Under the IIS section you will see an icon for Server Certificates. Double click on this and you will see “Create Certificate Request” on the right side of the window. Click this to start the certificate request.
You will need to enter the following information. Common name which is the site name of your first web site. In this case it is the default web site. For an example this may be www.myfirstwebsite.com The rest is basic information about your company. (Don’t worry about the alternate domain names at this point. This will be requested when you renew the certificate from GoDaddy.) The Organization is the name of your company, the Organizational unit can be anything such as IT, City/locality is your city, State/province is your state, and Country/region is the country you are in.
Now click next. You will want to choose the default for the Cryptographic service provider which is Microsoft RSA SChannel Cryptographic Provider. I would recommend changing the Bit length to 2048 to make it more secure. In the last step you just save this request to a text file. Once the request file is created, copy the contents and paste it into the GoDaddy website to request your new certificate. You will now see the alternate domain names listed for the renewal process, make sure these are all correct. If you need help with this step I would recommend to call GoDaddy. Their staff is very helpful. You will want to make sure you have access to the emails for the whois of the domain you are requesting this from. GoDaddy will email that account to verify the request. Once this is verified GoDaddy will finish the process pretty quickly (in about 10 minutes).
Now for the fun stuff. You will want to unbind the current certificate from all of the sites and delete the old certificate. If you prefer to keep it for a little while, make sure when you insert the new certificate to change the friendly name to something different from the old one so you can tell the old one and the new one apart. To unbind the old certificate you will need to go into each of the web sites that have the old certificate installed. For the OWA you will want to make sure you unbind the certificate from the site called SBS Web Applications.
Now we need to download the file that GoDaddy created to the server. To do this go back into the Internet Information Services (IIS) Manager, highlight the server name and double click on the Server Certificates again. Click on the Complete Certificate Request. You will now browse to the file you just uplodaed and give the certificate a friendly name.
With the new certificate installed we will want to bind all of the sites to the certificate. Start off with the site that was used in the Common Name section for the request. With the domain highlighted select Bindings on the right side. Click Add to add in a new binding, click the drop down for Type and select https. A section will now appear for the SSL certificate. Click the drop down and select the new certificate and click OK. You have now completed the first binding of the certificate. The rest of the sites will need to be done through the command line interface. The GUI will give you errors on the rest of the sites.
So we need to open up a command line interface and work our way to the following directory: (I am assuming the Operating System in this case is installed on the C drive. If not use the correct drive letter.) C:\Windows\System32\inetsrv
Now type the following commands (one line for each additional web site you are binding.):
appcmd set site /site.name:”MyWebSite2″ /+bindings.[protocol=’https’,bindingInformation=’*:443:www.MyWebSite2.com’]
appcmd set site /site.name:”MyWebSite3″ /+bindings.[protocol=’https’,bindingInformation=’*:443:www.MyWebSite3.com’]
appcmd set site /site.name:”SBS Web Applications” /+bindings.[protocol=’https’,bindingInformation=’*:443:remote.yourdomainname.com’]
You have now finished binding the additional sites but Microsoft Exchange still needs to have the certificate bound to it. To do this you will first need to find out the new certificates thumbprint. You do this by going back into Internet Information Services (IIS) Manager, Server Certificates and view the new certificate.
Under the Detail tab you will go to the bottom of the list and you should find the thumbprint. Copy this into an editor like Notepad and remove all of the spaces. An example of a thumbprint would look like this: 12637a67d0b4d148584318883babf64db09d74f8
For the final step you will need to open the Microsoft Exchange Console then type in this command making sure to replace the thumbprint for the one that matches your certificate:
Enable-ExchangeCertificate –Thumbprint 12637a67d0b4d148584318883babf64db09d74f8 –Services “SMTP, IMAP, POP”
You are now finished and your site should be back up and running! I hope somebody will find this useful. I had to search through multiple sites to find the information when I needed it.