Manually Install an Existing SSL Cert

Manually Install an Existing SSL Cert

Manually Install an Existing SSL Certificate into Small Business Server 2011 Essentials


Symptoms

Consider the following scenario.
You want to use the domain name provide by GoDaddy or eNom, however, you have your own SSL certificate.  You want to use another vendor's SSL cert for the RWA site via SBS 2011 essentials domain configuration wizard, but the wizard will fail and get stuck and show as not configured,  and you don’t have a way to move on.
To work around this issue, you need to manually configure your domain name and import SSL certificate, this document provides steps to do that.

Root Cause

Small Business Server 2011 Essentials provides a way to purchase GoDaddy or eNom domain name, but the wizard only exposes the User Interface to purchase the SSL certificate from the vendor where the domain name is registered through, such as GoDaddy or eNom.  If you'd like to use some other vendor's certifcate, you need to follow a manual workflow to import the domain and certificate.  Thus this wiki post is for those that want to use your own SSL certificates combined with another vendor's domain name purchase.

Resolution

Configure your domain name via Dashboard Wizard.
  1. On the server, set registry key “UseV2CertificateSupport”=0, under HKLM\SOFTWARE\Microsoft\Windows Server\Domain Manager\Providers\E423C85D-6B1F-4583-95E0-449D8263BAC4.
  2. Open command line with Administrator privilege, Restart DomainManagerProviderSvc
  3. sc stop DomainManagerProviderSvc.
  4. sc start DomainManagerProviderSvc.
  5. Restart the Dashboard.
  6. Using “Set up Domain name wizard” to finish the domain name transfer, after that you would see Domain name is set up.
  7. On the server, please set registry key “UseV2CertificateSupport”=1 (That is important step, you should not miss), under HKLM\SOFTWARE\Microsoft\Windows Server\Domain Manager\Providers\E423C85D-6B1F-4583-95E0-449D8263BAC4.
  8. Restart DomainManagerProviderSvc and Dashboard.
Import your existing SSL certificate via Powershell

[System.Reflection.Assembly]::LoadFrom("C:\Program Files\Windows Server\Bin\Wssg.Web.DomainManagerObjectModel.dll")

$CertMgr = New-Object Microsoft.WindowsServerSolutions.RemoteAccess.Domains.DomainCertificateManager

$certfile = Read-Host "Enter path to certificate PFX file"

$password = Read-Host "Enter Password to PFX file" -AsSecureString

$CertMgr.ConfigureCertificateFromFile($certfile, $password)

  1. To run the script, copy the above code in a .ps1 file.
  2. Run WssPowerShell.exe under %programfile%\Windows Server\Bin\ with Administrator privilege
  3. Run the script and provide the .pfx file and the private password to the file.
  4. If you get an error “The file XXX.ps1 is not digitally signed. The script will not execute on the system.”
  5. Set-ExecutionPolicy Unrestricted
  6. Re-Run the script
  7. Set-ExecutionPolicy RemoteSigned

Please also review this blog post - http://blogs.technet.com/b/sbs/archive/2011/08/04/how-to-install-your-existing-certificate-into-sbs-essentials.aspx

Download

You can download a script to automate this process from the TechNet Gallery.

Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (3 items)