Microsoft Exchange and Blackberry Server Specialists

SSL Certificate Information for SBS 2011

On This Page

  • Changes in September 2012
  • Introduction
  • Preparation Work
  • Certificate Request Generation and Response Installation
  • Activating the Certificate
  • My Certificate isn't Listed in the SSL Wizard

Changes in September 2012

This information has changed significantly from the advice that has been given out since early 2007 with the release of Exchange 2007.
This is because the SSL vendors consortium has decided to stop issuing SSL certificates to non FQDNs (eg server), non public host names (eg server.example.local) and to private IP addresses for all certificates that expire after November 1st 2015.
Therefore the names that you need to include are reduced.

Introduction

As with SBS 2008, SSL Certificates on SBS 2011 need to be installed with some care. This is due to some design decisions made by Microsoft for the SBS 2008 product which have remained with SBS 2011.

The major issue is that Microsoft presumes that your external DNS provider supports SRV records - which many don't. This is to save the SBS owners money, so they can use a single name certificate, but unless you want to change your external DNS provider then you have to use the multiple name method.

SRV records are one of the methods that Outlook 2007 and higher can use for autodiscover. Autodiscover is also connected to the availability service. Therefore that means if you are using Outlook Anywhere, without autodiscover working correctly, the client doesn't work as it should.

However, as SBS 2011 is designed to be managed with the wizards and there are a lot of other changes to the Exchange and IIS configuration, doing a standard Exchange 2010 type SSL certificate installation will almost certainly break things and mean they don't work correctly. Therefore you have to work with the wizard so everything goes in place as it should.

Preparation Work

To ensure that you work with the common configuration for SBS 2011, some DNS entries need to be made on the internet facing DNS services (usually your domain name registrar).
Specifically these are

  • remote.example.com
  • autodiscover.example.com

where example.com is your domain after the @ in your email address and the domain entered in to SBS during setup.

These should point to your public static external IP address. If you cannot use a static IP address, then use a dynamic DNS provider to setup a host. Then create a CNAME for each of the above hosts and point them to then dynamic DNS host name. More Information on using Exchange with a dynamic IP address.

While you can use another host name instead of remote.example.com, everything in SBS seems to be orientated towards that name. Using the preferred name will ensure that everything matches, particularly if you are reading other technical articles from Microsoft. As that name will be the common name on the SSL certiifcate, use it for the MX records for the domain, and get the ISP to setup the reverse DNS (aka PTR) record to match.

Certificate Request Generation and Response Installation

To generate the request you will use the Exchange 2010 wizard. That makes the full list:

  • remote.example.com
  • autodiscover.example.com
  1. Create the SSL request through the Exchange Management Console in the usual way - instructions here.
    Ensure that when creating the request that the common name is set to remote.example.com (where example.com is your public domain name).
  2. When the response comes back, install it through the Exchange Management Console (instructions), but do not enable any services.

At this point the SSL certificate is not active, and therefore there is no disruption to the end users.

Activating the Certificate

Now this is where things are different to Exchange 2010 full product installation.

  1. Start the SBS 2011 Management Console. On the "Getting Started Tasks" panel, choose "Add a trusted certificate". You can also start the wizard on the Networking panel, under Connectivity, by choosing "Web Server Certificate" then "Add a trusted certificate".
  2. After choosing Next on the first screen, on the second screen select "I want to use a certificate that is already installed on the server." and click Next.
  3. A list of certificates that can be used are now shown. Choose the trusted certificate and select Next. The wizard is then imported.

You can test it with a test account on the Microsoft test site at https://testexchangeconnectivity.com/

My Certificate isn't Listed in the SSL Wizard

The usual reason why your certificate isn't listed in the SSL wizard is because the names on the certificate are not correct. For example the certificate has been issued to mail.example.com instead of remote.example.com.
You have two options here.

  1. The preferred option would be to get the certificate reissued to remote.example.com. This is the SBS naming convention and you will find it a lot easier to follow documentation if that is the name used.
  2. Run the "Set up your Internet Address" wizard again. Choose the advanced options and change the default prefix from remote to mail (or whatever your certificate is issued to). Then run the Certificate wizard again.