Thursday, April 29, 2010

Installing a Wildcard Certificate Using SBS 2008 Console

I needed to install a wildcard certificate into an SBS 2008 install. After acquiring the wildcard certificate I installed it into the Certificate Store for the Computer Account, into the Personal Certificates as per the instructions found in “How do I import an existing trusted certificate?” – found by opening SBS 2008 Console, clicking on Network, then clicking on the Connectivity tab and then clicking on the Certificate entry under Web Server Certificate.


Once I’d done that, I launched the Add A Trusted Certificate wizard. Problem is it would only show the self-generated certificate for the SBS 2008 install and not the wildcard certificate.


I got to thinking that a setting somewhere was restricting it to the domain and RWW prefix set in the Internet Address Management wizard, so I went hunting and found a solution.


The workaround is to open up regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Networking.


In here you’ll find the two entries that dictate which certificates are displayed in the Add A Trusted Certificate Wizard – PublicFQDNPrefix and PublicFQDNProvider.


To get a wildcard certificate displayed in the wizard you’ll need to change PublicFQDNPrefix to *.



Make a note of the original value, as you’ll need to put it back once you’ve installed the wildcard certificate.


Now open up the SBS 2008 Console, click on Network, click on the Connectivity tab and run the Add A Trusted Certificate Wizard. You’ll now be able to see the wildcard certificate and install it.


Once you’ve successfully installed the certificate, go back to regedit and change PublicFQDNPrefix from * back to its original value.

15 comments:

Unknown said...

Great post! I spent HOURS trying to figure out this issue before I found you fix.

Another related issue I was having was with the Terminal Services Gateway SSL Certificate setting. A fix for this is found here:

http://blogs.technet.com/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx

Thanks!

Anonymous said...

Thanks! Saved me a lot of trouble!

Digital Arts said...

I'm seeing problems with a GoDaddy Wildcard SSL renewal - Have resorted to removing the original cert and re-importing, follow through your notes above and everything reports OK in the wizard but RWW still shows the old and now expired SSL?

stryqx said...

@DigitalArts you'll probably need to restart IIS for the new certificate to be used by RWW.

The Ops Mgr said...

Thanks for this info - just installed my wildcard cert using these instructions and it worked like a charm.

Ashwin Manoharan said...

Thanks you sir. I have been trying to import the wildcard cert for a long time and your steps worked perfectly.

Anonymous said...

Thanks! Works like a charm!

peggy said...

Very detailed explanation about Installing a wildcard SSL. I will definitely share them with my group or on my blog.

Thank you for sharing

Sameer Rai said...

I did exactly ap per the instruction on my SB 2008 and changed the required setting to * in the registry. Bu when I am running the wizard to "Add trusted Certificate", it still shows the old form and not the one to accept the wildcard certificate.

Anyone, Pls. advise what went wrong in my case.

stryqx said...

Hi Sameer,

Did you close the Windows SBS Console after making the registry change?

Peter Yuen said...

Thank you for this article - very googd information on Wilcard SSL with the SBS 2008 Console...

Martijn said...

With your method I can select the wildcard certificate, but it still finishes with an error, saying that the certificate's web address does not match my website's address. Is there a solution for this?

stryqx said...

Hi Martijn,

What's generating this error? the SBS Console, or something like IE?

Martijn said...

The console, or, to be more specific, the wizard to add a trusted certificate. The server is rebooting now and after that I'll retry.

stryqx said...

Hi Martijn,

It's possible that a later SBS 2008 Update Rollup has made changes that prevents this workaround from working. I don't have an SBS 2008 install handy to verify either :-(