none
SSL Certificate Renewal

    Question

  • Hello,

    My existing SSL certificate has expired, and needed to be renewed. I've received my new cert, and imported to my server. I've tried a few different ways to replace my existing cert:

    - Import into local machine store, update IIS bindings. Update RD Gateway cert. Update SSTP binding.
    - Run Domain Config wizard, use existing cert, supply newly received cert PFX. Run repair on access anywhere.

    No matter which method used, while the new cert works for a day or 2, it eventually reverts to the machines self signed cert resulting in errors. I can't find an event that correlates to reverting certificates, so I'm at a real loss as to what's taking place.

    Any guidance on how to complete this scenario properly?

    Thanks,
    Tim

    Monday, March 04, 2013 9:23 AM

Answers

  • Here's what worked for me for 2012 Essentials:

    Start the Essentials dashboard.  In the upper right corner, click on Settings.  In the Settings dialog, in the left column, click on Anywhere Access. Under Domain name, click "Set up" to start the wizard.
    Getting Started:  (No settings)
    Configure your domain name:  Import a new trusted SSL certificate
    Set up a trusted SSL certificate:  "remote" is already there. Choose I want to purchase a trusted SSL certificate for the domain name.
    Generate a certificate request:  Copy
    [get the cert from your provider]
    A trusted SSL certificate reqeust is in progress...:  I have the trusted SSL certificate information from my certificate provider
    Import the trusted certificate:  Copy and paste...
    Repair as suggested in last pane

    It's not clear to me if this is creating a new private key or reusing the old one. I guess it doesn't matter. Regardless, start Certificate Manager for the Computer and export the new cert to PFX with the private key. Also, I delete the previous year's certificate while in Certificate Manager. At least with SBS 08, if you didn't do that, it would keep putting warnings in the event log.

    Mark Berry
    MCB Systems

    Friday, November 08, 2013 1:15 AM

All replies

  • I would run the Anywhere Access wizard and turn off RWA.

    Reboot.

    Run it again and import the new certificate from PFX.


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Monday, March 04, 2013 12:51 PM
    Moderator
  • Thanks Robert, I'll give that a go. A reboot never hurt anyone ;)

    Have I missed the guidance on how to perform a cert renewal though? Would think this is a fairly common procedure.

    Thanks,
    Tim

    Monday, March 04, 2013 6:58 PM
  • Guidance is few and far between right now.

    Best thing to remember is that the 'renewal' is essentially a term for the process, but not what you're doing.

    Im paraphrasing slightly, but the process is identical to purchasing a new SSL, it just happens to have the same name.

    So, you can go through the process here:

    http://titlerequired.com/2013/02/06/manually-creating-a-certificate-request-windows-server-essentials-sbs/


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Monday, March 04, 2013 8:32 PM
    Moderator
  • No dice :( Cert still reverts to the servers self signed cert from my purchased SSL cert.

    Very strange...

    Tuesday, March 05, 2013 6:22 PM
  • Hello Robert,

    I am exactly in the same situation as "tsull360". I have to renew my existing certificate from GoDaddy and I don't find any instructions how to do it. What is the exact procedure on how to renew an existing certificate using Anywhere Access wizards? Meanwhile, I have looked at your "RWA & SSL Configuration Decision-o-Matic" chart from your site (http://titlerequired.com/2013/02/06/manually-creating-a-certificate-request-windows-server-essentials-sbs/) and figured that my newly issued certificate has to be imported as a PFX file into W2k12srve. Is this correct? If so, how do I manage to get this PFX file from GoDaddy?

    Regards,


    Yves Leduc

    Tuesday, March 19, 2013 4:09 PM
  • Did you ever get an answer to your question about renewing SSL certificates?  I'm about to go through the process.

    Charlie Storke

    Thursday, October 17, 2013 4:30 AM
  •  Tried to get an answer to this earlier, with no success. I just ended up creating a new cert request and going through the wizard again :(

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/4c125736-46f4-42c3-b94a-792085991e42/how-do-you-renew-the-anywhere-access-certificate?forum=winserveressentials#6a338d55-9814-46c5-a560-e993cba67102

    Saturday, October 19, 2013 8:51 AM
  • Here's what worked for me for 2012 Essentials:

    Start the Essentials dashboard.  In the upper right corner, click on Settings.  In the Settings dialog, in the left column, click on Anywhere Access. Under Domain name, click "Set up" to start the wizard.
    Getting Started:  (No settings)
    Configure your domain name:  Import a new trusted SSL certificate
    Set up a trusted SSL certificate:  "remote" is already there. Choose I want to purchase a trusted SSL certificate for the domain name.
    Generate a certificate request:  Copy
    [get the cert from your provider]
    A trusted SSL certificate reqeust is in progress...:  I have the trusted SSL certificate information from my certificate provider
    Import the trusted certificate:  Copy and paste...
    Repair as suggested in last pane

    It's not clear to me if this is creating a new private key or reusing the old one. I guess it doesn't matter. Regardless, start Certificate Manager for the Computer and export the new cert to PFX with the private key. Also, I delete the previous year's certificate while in Certificate Manager. At least with SBS 08, if you didn't do that, it would keep putting warnings in the event log.

    Mark Berry
    MCB Systems

    Friday, November 08, 2013 1:15 AM
  • Renewals are essentially new certificates - you don't need to get hung up on the term 'renewal'

    As long as the issuing authority is trusted - then it will be ok.


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Friday, November 08, 2013 10:52 AM
    Moderator
  • I too have had this issue on WSE R2. Imported new certificate, works fine, and then after reboot can't RDP in because of certificate mismatch. After re-changing bindings in IIS for 443 to use correct certificate it works again, until reboot.

    I have just followed Mark Berry's suggestion, so we'll see if it holds up upon reboot!

    Doug.

    Thursday, October 15, 2015 2:34 PM
  • yep, this seems to hold up - I imagine that it's the "Repair" process that sorts things out again.

    Cheers,

    Doug.

    Thursday, October 15, 2015 3:46 PM
  • This ended up not helping ...further reboots re-instated the self-signed certificate.

    After investigating further I found this RasSstp Error 32 in the system logs:

    "The thumbprint (cert hash) of the certificate used for Secure Socket Tunnelling Protocol (SSTP) OU=GT52513664, OU=See www.rapidssl.com/resources/cps (c)15, OU=Domain Control Validated - RapidSSL(R), CN=remote."domain".co.uk is different than the certificate bound CN=SBSServer."domain".local to the Web listener (HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server applications to use the same certificate used by SSTP"

    It turns out that when the server was initially configured, Direct Access was enabled - at this point the 3rd party SSL certificate had not been installed, so the wizard used the Self-Signed certificate. Upon running the Remote Access Wizard from the dashboard, the SSL certifcate was change accordingly to the new 3rd Party Cert. However, upon reboot the 443 certificate was changed back to the Self Signed, as it did not match the SSTP certificate assigned in Direct Access (as per the error above).

    I initially found this article which shows you the certificate being used by Direct Access, but directly changing that did not have a lasting effect:

    http://blogs.technet.com/b/rrasblog/archive/2009/02/11/sstp-certificate-selection.aspx

    So to solve this I had to re-run Step 2 in the Remote Access Management Console, specifying the 3rd party Certificate.

    Now that they match, everything is hunky dory!!! :)

    Doug.

    Wednesday, October 21, 2015 2:58 PM