Renewing SSL certificates is often a less than straightforward process. Mark Pimperton describes some issues he has faced when renewing SSL certificates.
First up, I confess to not really understanding how SSL certificates work. The world of public and private keys, certification authorities, and cryptographic service providers is a bit mysterious to me. I more or less grasp the point of it all - proving that the site you think you're on is genuine and preventing man-in-the-middle spoofing attacks - but dealing with certificates does not come easily to me. And every time seems to be different - different vendor, different system, different complications. The upside is that when I finally get a certificate installed and working I go home happy.
I'm no expert, definitely just an amateur trying to give myself step-by-step instructions that will work every time. In this series, I pick out some of the gotchas and surprises from my last couple of ventures into certificate renewal, starting with IIS7 for Exchange and Outlook Web Access (OWA).
IIS7 - GoDaddy
Certificate suppliers usually give you two months or more of warning of an imminent expiry, but even before the first GoDaddy renewal email arrived, I was warned by my Win2k8 server that one of my certificates was about to expire or had already done so. Event ID 64 started appearing more than three months before expiry. After reading threads like this, I went to IIS |/ <server name> / Server Certificates and compared the "thumbprint" given in the event log to the "Certificate Hash." That confirmed my certificate for Outlook Web Access/Exchange was being flagged.
On receiving the renewal email, I clicked through to our account and followed the process outlined below. (I removed some of the detail, such as verifying which card you want to pay on and then discovering at the payment stage that you have to specify it again).1. Click the Products tab, expand SSL Certificates, and click Renew for the certificate to be renewed.
2. Select the number of years renewal. Click Renew and then click Checkout.
3. Review the order details and click Continue to Checkout. Complete the payment process.
4. Follow steps 6 to 9 in GoDaddy article 864. When you click Request Certificate, it brings up the screen where you have to enter a new Certificate Signing Request (CSR), so:
a. Log in to GoDaddy, bring up the details of the certificate (SSL Certificates/Launch), and then click Certificates. Click the certificate name to bring up the Common Name, Organization, and Organization Unit, which are needed in the next steps.
b. Go to GoDaddy article 5343 and follow the link to IIS7 instructions - then follow those on the IIS7 / Exchange server. Note that City, State, and Country don't matter but must be populated.
c. Enter the cryptographic details like this:
i. Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
ii. Bit length: 2048
d. Enter a path/filename for the certificate request file, e.g., desktop\certreq.txt.
5. Back on the GoDaddy site: After clicking Request Certificate, leave the certificate location at the default value (Third Party or Dedicated Server) and then paste the CSR text into the box. Click Next, check the details on the next screen, and click Next again. You'll see a confirmation screen that all is well.
After completing the purchase process, we received two emails with two different verification requirements:
1. For our external URL (e.g., server.company.co.uk), we followed the Domain Zone Control validation process (as described in http://help.godaddy.com/article/4678 but via our DNS provider). We updated an existing DZC entry that was there from doing a previous certificate.
a. As per their instructions, go back to the certificates and click the pending request for the external URL.
b. Click What's The Hold-Up?
c. Click Domain Zone Control. The list of Subject Alt Names should change to show all verified. We immediately received an email saying the certificate had been renewed.
2. For our internal domains (autodiscover.<domain>.local and <servername>.<domain>.local), they just asked me to click a link in the email, so I followed this and clicked Approve. After a few minutes, the Pending Request disappeared, and this completed verification.
Download and installation
After purchase and verification, it was time to put the certificate to work. Here's what happened.
1. Clicked the link in the email saying the certificate has been renewed. This took me back to the certificate list on the GoDaddy site.
2. Checked the box next to the renewed certificate and clicked Download. I selected Exchange 2007 and then clicked Download. I saved the downloaded zip file to the server desktop. It contained two files. (Installation instructions in this GoDaddy article.)3. Glitch #1: Their instructions mostly worked, except it doesn't automatically remove the binding to the old certificate. 4. Glitch #2: After changing to the new certificate, I couldn't connect internally to OWA. At one point it did give me a warning I didn't understand; it turns out it was stopping the OWA site in IIS at that point. After restarting the OWA site, I could log in just fine.
5. Checked OWA from outside the LAN.
6. Checked if the warnings in the event log (event 64) had gone away, and they hadn't. This is because the old certificate was still there, although not bound to anything (or so I thought).7. Glitch #3: I removed the old certificate, and I started to get Error 12014 and Warning 12024 from Exchange. These messages informed me that the new certificate had to be applied to Exchange and IIS. 8. Microsoft articles like this and this showed me what was going on and how to fix it. I had to run the Exchange Command Shell "as admin." The command Get-ExchangeCertificate | FL * showed that the new certificate was only enabled for IIS, not SMTP. After running the command Enable-ExchangeCertificate -Thumbprint <my certificate thumbprint> -Services SMTP the warnings went away. Phew.
For this certificate renewal, the purchase and download process was complicated but relatively painless. The installation process threw up three problems that I'll be ready for next time - if there is a next time.