So ya wanna * in your trusted cert wizard?

On February 18, 2010, in news, by

First off a caveat.  For SBS there’s no need to have a UCC/SAN cert for your trusted cert.  You don’t need a wild card either unless you have a very specific need for it. You can use remote.domain.com and then set up your autodiscover DNS information as was posted by the Third Tier folks — http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/ and it works PERFECTLY.  So cheap beancounter Susan doesn’t have to buy an expensive SSL cert, she can be the skinflint cheap beancounter and buy the cheapest Godaddy SSL cert they got.  [Mind you as the Hickinator pointed out in the SBS 2008 newsgroups, my recommendation of Godaddy is encouraging sexist female advertising so you can always buy from SSLDirect.com ]

But IF you really and truly have a business need for a wild card cert, and you want to use the trusted cert wizard inside of SBS 2008 because (trust me) it’s easier to use the SSL wizard inside the SBS box, here’s how you do it:

http://technet.microsoft.com/en-us/library/cc765181(WS.10).aspx

“I have discovered that SBS2008 have problems with importing a wildcard cert to use as a trusted cert. The cert was issued to *.mydomain.com as it should be as it is a wildcard cert, and my SBS server was configured to use remote.mydomain.com for RWW.

When trying to run the “Add Trusted Certificate” wizard the system would not let me select my trusted cert (Present in the Personal/Certificates store on the SBS Server). However it did present me with the remote.mydomain.com certificate. There was no chaining or permission errors on the certificate and it was exportable and all extenssions were also imported. The cert was correct and should be working.

What I did was to go into the registry and change HKLM\SOFTWARE\Microsoft\SmallBusinessServer\Networking\PublicFQDNPrefix to * instead of remote. Then ran the wizard. It now presented me with the option to use the wildcard cert instead. Selected the wildcard and then finished the wizard. Changed the registry value back to remote and everything works fine now.

The wizard will look for usable certs with the same name as the public RWW name and therefore you are not able to use wildcard certs without the above workaround. This bug/issue/feature limitation have not as of today (2009-jul-08) been acknowledged by Microsoft.

Remember that you can use something other than remote as your prefix, just remember to click “advanced” in that domain name wizard and you can enter in what prefix (or not, like I do) that you want.

 

One Response to So ya wanna * in your trusted cert wizard?

  1. Chris Knight says:

    That explains why my previous attempts with wildcard certificates using the Add Trusted Certificate wizard failed.
    I’ve documented my workaround for this behaviour on my blog here:
    http://blog.chrisara.com.au/2009/11/renewing-rapidssl-certificate-on-sbs.html

    Steps 11-17 are most useful in re-associating the private key with the certificate.