I’ve been quite happy using RapidSSL certificates on SBS 2003 boxes, as the RapidSSL root certificates are installed in the certificate store for Internet Explorer, and the certificate also works for Windows Mobile and Nokia smartphones.
However, I’m not so happy using them on SBS 2008, as RapidSSL is not supported by the Certificate Installation Wizard and the RapidSSL Certificate Request field doesn’t support 4096-bit encryption keys which is the default and unchangeable key length for renewing certificates in IIS 7.0.
So this is the foolproof way for me to use RapidSSL certificates on SBS 2008:
- Open up IIS Manager
- Select the IIS Server in the left-hand pane
- Double-click on Server Certificates in the middle pane
- Click Create Certificate Request in the right-hand pane
- Fill out the Distinguished Name Properties, ensuring that remote.companyname.com is used for the Common Name (replace companyname.com with your public domain name)
- Select 2048 for the Bit Length on the Cryptographic Service Provider Properties page
- Save the request as a .txt file somewhere
- Open the .txt file and copy and paste the certificate signing request into the RapidSSL renewal page
- Go through approval process to get your certificate in e-mail
- Copy the certificate out of e-mail and into a .cer file by using Notepad
- Run mmc.exe as Administrator
- Add the Certificates snap-in and select Computer Account on the Local Computer
- Import the .cer file into the Personal certificate store
- View the certificate, go to the Details tab and copy the Thumbprint Value data to the clipboard
- Run cmd.exe as Administrator
- Run the certutil repairstore operation on the imported certificate; replace <thumprint> with the Thumbprint Value data you copied above and if you’re cut’n’pasting the below make sure you type in the double quotes and not use the pasted quotes
- certutil –repairstore my “<thumprint>”
- Refresh the Personal certificate store in MMC and view the certificate for remote.companyname.com; you should now see the “You have a private key that corresponds to this certificate” text added below the Validity section.
Note: If you do try to use the Complete Certificate Request entry in IIS 7.0, you end up with the following error:
“There was an error while performing this operation.
Details: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)”
Steps 11-17 above achieve the certificate request completion without error and restores the private key association with the certificate.
I’ve primarily added this blog post for myself, so if the sequence is a bit terse, please let me know and I can flesh it out with some screenshots to help out.