Cannot display webpage after updating SSL Certificate

Check if the server certificate has the private key corresponding to it. Refer the below picture:

SSL Cert wo and wprivate key

If private key is missing, then you need to get a certificate containing the private key, which is essentially a .PFX file. There is a command that we could try to run in order to associate the private key with the certificate:

 C:\>certutil –repairstore my “‎1a 1f 94 8b 21 a2 99 36 77 a8 8e b2 3f 42 8c 7e 47 e3 d1 33”

 certutil repair

 Note: 1a 1f 94 8b 21 a2 99 36 77 a8 8e b2 3f 42 8c 7e 47 e3 d1 33 is the thumbprint of the certificate. Open the certificate and click on the details tab. Scroll down to find the thumbprint section. Select the thumbprint section and click on the text below. Do a “Ctrl+A” and then “Ctrl+C” to select and copy it. Below is a snapshot for your reference:

cert thumbprint 

If the association is successful, then you would see the following window:

successful cert repair

Redirecting OWA URL’s in Exchange 2010

Great blog post on redirecting OWA URL’s for Exchange 2010 on WS08 R2, tested and it works.

http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

Renew SSL self-signed certificate in SBS 2008

With Small Business Server 2008, you have the option to use a third party SSL certificate or the default self-signed SSL certificate. By default the self-signed certificate is valid for two years, but how to you renew it without interrupting OWA, Outlook, and Exchange? When the certificate is expired, Outlook 2007/2010 will give you an error message when opening, that the certificate is not valid. Here are the steps to fix it.

1. Goto the Windows SBS Console, click on Network Tab, then Connectivity Tab
2. Click on the certificate icon, then click the “view certificate properties” in the right pane. In the General tab of the new window, it will show the dates that the self-signed certificate is valid for.
3. In the “Connectivity Tasks” area, click “setup your Internet address”, go through the wizard to renew your self-signed SSL certificate.
4. When you now check the certififcate properties, you will see that it is now valid for another two more years.

Installing Thawte’s new 2048 bit certificates

Thawte now is conforming to the new 2048 bit standard for their SSL certificates, which will require you to install two intermediate certificates on your server before they work and is validated. Below are the links to the articles and intermediate certificates. Download both certificates and import them into the “Intermediate Certificate Authority” in the Certificates MMC.

Thawte Intermediate and Cross Root CAs – link

Primary and Secondary Intermediate CAs – link

Disable SSL v2.0 in IIS

While going through a vulnerability scan for PCI compliancy, the report noted that IIS 7 on a Small Business Server 2008 was still using SSL v2.0 instead of SSL 3.0 or TLS 1.0. To disable SSL v2.0:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK.Note If this value is present, double-click the value to edit its current value.
  6. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  7. Click OK. Restart the computer.

IIS negotiates the encryption with the client browser. An attacker could use a tool that tells the server it has only sslv2 (which is weaker) available. If you disable sslv2 it only uses v3 or tls, as requested by browser. A browser only supporting sslv2 would fail.

 This applies to Windows Server 2003, and Windows Server 2008, and both versions of SBS.

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

Change the Identifier for IIS Websites

First, to find the identifier of a IIS website, you simply need to click the “Websites” folder in the left side of the IIS Manager windows.   The right pane will list the websites on the server and their respective identifiers.  If you need to change one, use the following three commands (assuming the current id is 1 and you want to change it to 2):

CSCRIPT %SYSTEMDRIVE%InetpubAdminScriptsadsutil.vbs STOP_SERVER W3SVC/1
CSCRIPT %SYSTEMDRIVE%InetpubAdminScriptsadsutil.vbs MOVE W3SVC/1 W3SVC/2
CSCRIPT %SYSTEMDRIVE%InetpubAdminScriptsadsutil.vbs START_SERVER W3SVC/2