jump to navigation

Installing a GoDaddy Standard SSL Certificate on SBS 2008 February 12, 2009

Posted by Jim Locke in SBS2008.

I much prefer the use of a public certificate over Microsoft’s. GoDaddy makes it cost-effective and Sean Daniel makes it easy to do. Why should you ever use a self-signed certificate again????

Many providers offer inexpensive SSL certificates for domain-only validation.  GoDaddy seems to be a popular choice given just how inexpensive the certificates are.  GoDaddy’s inexpensive cert is called Standard SSL certificate.

Before we dive in, let’s recap the certificate story in Windows Small Business Server 2008. There are two “types” of certificates and four “states” your certificate can be in.  Those are defined on TechNet in the Managing Certificates section of the SBS documentation.  The two types are “Self-Issued” or “Trusted”, and by default, SBS 2008 ships using a self-issued certificate infrastructure, which is used to authenticate the server to the client, and encrypt the traffic between the remote client and the server. The obvious downside here is there is extra work with the certificate installer package on your remote/non-domain joined clients, and Windows Mobile devices.  At some point there are enough of these to warrant the low cost to upgrade to a 3rd party Trusted certificate.  With a 3rd party trusted certificate, the client computers and mobile devices already trust the root of the 3rd party certificate, as these are maintained by Microsoft Update (and various other solutions for non-Microsoft based clients/devices).

As you probably read when you learned about the Internet Address Management Wizard, we have a number of domain name providers, eNomCentral, GoDaddy, and Register.com.  All three of these providers are very well equipped to sell you and facilitate installing a trusted certificate for your small business network, so feel free to shop around! 

I’ll be going through the steps for GoDaddy today as they are the only provider that requires intermediate certificates, which is a bit more challenging.  The process is the same for all the providers, except for eNomCentral and Register.com, you can skip the intermediate certificate steps, and naturally the UI would be different.  On a final note, I have not had luck with the GoDaddy certificate and Windows Mobile 5, if you have Windows Mobile 5 devices, you may want to consider one of the other partners, but the best thing to do here is open the certificate store on your WM5 device and validate the root cert for the provider you’re going with is available in the certificate store.

While Matt Williamson’s Installing GoDaddy SLL Certificates on IIS7 talks generically how to install the GoDaddy SSL certificates, it isn’t detailed enough for SBS 2008.  The steps below should provide detailed steps, specific for SBS 2008:

  1. In your Windows SBS Console on the server, navigate to the Network tab and the Connectivity sub-tab and launch the Add a Trusted Certificate connectivity task
  2. Click Next on the welcome screen and choose I want to buy a certificate from a certificate provider and click Next.
  3. Verify this information is correct.  This information will be encoded in the request to the certificate provider, and cannot be changed without buying a new certificate.  Additionally for some certificate requests this information could be used to contact you to validate the ownership of the domain name.  Then click Next.
  4. Once you get to the screen below, you are now going to deal with only the certificate provider, with the encoded certificate request shown in the gray box.  Since most providers have you paste this into a web browser, you should click the Copy button to place this into your clipboard. image
    1. IMPORTANT: It’s important not to click back or next-back on this page, as it will re-generate a new encoded string, which will not match the request you make to your cert provider.
  5. Once the encoded string is copied safely (I paste it into Notepad so I don’t loose it during the process) Let’s close the Trusted Certificate wizard for now to get it out of the way and prevent errors now that we have that encoded text in the clipboard (and hopefully in Notepad).  Let’s click Next and then select My certificate provider needs more time to process the request, and click Next again, the wizard will show a warning that it could not import the certificate into Remote Web Workplace.
    1. You will also notice after you click Finish, that the console now shows Request Submitted and you have an option to Remove this Certificate, which we don’t want to do unless we want to go back to the beginning.
  6. At this point, go to your providers website and follow the instructions for purchasing a certificate.  The provider will most likely ask you to purchase the certificate before they collect the certificate information (encoded text above) from you. Notes:
    1. The provider may try to sell you other services, feel free to browse, but the server doesn’t require additional services
    2. The server does not require a wildcard certificate, port numbers (such as 987) are used to save you the cost of purchasing a wildcard certificate
    3. You should get a confirmation email with instructions on how to install the certificate.  My particular email has this section in it, stating to log into the website to obtain my cert: image
  7. Once I log into my account, It’s abundantly clear that I have a certificate set up waiting for me: image
  8. I log in to my account using the ID and choose to use your certificate credit image
  9. Next you will want to go to the Manage Certificate Control Panel: image
  10. In the control panel, select your certificate credit and click Request Certificate image
  11. Now you are prompted to insert the CSR, or Certificate Signing Request, which is all of the information you copied out of the trusted certificate wizard (and put into Notepad right?)
    1. IMPORTANT: Make sure you select the server software to be Microsoft IIS.
    2. Note: the actual domain name you are requesting for is encoded in the string from within the Trusted Certificate wizard
  12. Validate the information in the cert is correct, once you confirm it, it’ll cost more money to do this over again, and then click Confirm.
  13. Once you confirm, an email gets sent to the email account on file for that domain name, once you get that email, there is a verification link inside that email that needs to be clicked.  Click it and approve the request, some more email will come into that account you just checked.  One to tell you that it was approved, and one to give you the link to go and get the encoded text.
    1. One thing to note here is there are two things to download, the signed certificate itself, and the intermediate certificates which must also be installed on the website.
  14. Validate the install type is IIS and click Continue, then proceed to the Download Signed Certificate link and save the certificate to the desktop of the server.
  15. Then click the IIS Installation Instructions link to open up the installation instructions.  It’s important to use these instructions for installing the Intermediate Certificate Bundle.  You can follow the Installing the SSL certificate steps as well, but it will change the flow through the Trusted Certificate wizard shown later in this instruction set.
    1. So follow the steps from GoDaddy.com, but I’m going to paste and modify them for SBS 2008 here for you as well… These are of course subject to change without notification!!!
      1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC). Agree to the UAC prompt
      2. In the Management Console, select File; then “Add/Remove Snap In.”
      3. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
      4. Choose Computer Account; then click Next and Finish.
      5. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
      6. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
      7. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
      8. Follow the wizard prompts to complete the installation procedure.
      9. Click Browse to locate the certificate file (gd_iis_intermediates.p7b). You’ll have to change the file filter at the bottom right to PKCS #7 Certificates.
      10. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
      11. Click Finish.
  16. Once this is imported, we can go back to the Trusted Certificate wizard in the product
    1. Click Add a Trusted Certificate in the console to re-launch the wizard if you closed it (as recommended above), and click Next on the welcome page.
    2. Click I have a certificate from my certificate provider and click Next.
    3. Since GoDaddy provided me with a file, I’m going to browse to the file (alternatively if the provider gave back encoded text, that could be pasted into the wizard too) that matches my domain name, in this case, remote.seandaniel.net. and clicking Next. image
    4. We’re finally done, click Finished!  Now remote clients will get the benefit of a trusted certificate, and the console reports Trusted as the certificate type.

It’s important to use the Trusted Certificate wizard for the last step, to ensure that the certificate is bound to the correct IIS website, as well as TSGateway for remote desktop access.  If you followed all the steps from GoDaddy to install the certificate, simply run the Trusted Certificate wizard and choose I want to replace the existing certificate with a new one, and you’ll get shown the trusted certificate and the self-issued certificate for your domain name, just choose the appropriate one based on the type and the expiration date:


On a final note, renewing your certificate after the year, just click that Add a Trusted Certificate link in the console but this time through choose I want to renew my current trusted certificate with the same provider, and follow the instructions!

I did want to call out that NetoMeter.com has a 4-step video process on how to do add GoDaddy SSL certificates to your SBS 2008 server, but a $30 monthly subscription is required to view it, which might be worth it depending on how much help you need with your SBS 2008 server, or might not be worth it if this is your only challenge.

Title: Installing a GoDaddy Standard SSL Certificate on SBS 2008
Author: Sean Daniel
Publication Date: 2/11/2009 4:33:59 PM

Feed Title: SeanDaniel.com – SBS 2003 and Technology Discussions
Feed URL:


Group Policy Preferences Will Reduce Logon Scripts : Mapping Drives February 12, 2009

Posted by Jim Locke in SBS2008.
1 comment so far

Mapping drives with Group Policy has never been easier, thanks to this article from the GP Team!

Too often, I ask if people are familiar with GP Preferences and get a blank stare. I will say this over and over again:

GP Preferences will dramatically reduce your logon scripts

GP Preferences has clean, easy-to-use reporting and UI

Lots of things get accomplished in scripts (mapped drives, set registry keys, managed devices, etc. ) GP Preferences can do all of that, plus you’ll be able to manage the setting in the UI, target your config with cool filtering, and use the reporting to see what you did. I’ll show you what I mean by using GP Preferences to map a drive.

Open up GPEdit for the GPO in question; click the ‘User Configuration’ folder, then click the ‘Preferences’ folder. You can see all of the user-relevant options you can set in Preferences. Find Drive Maps under ‘Windows Settings.’

Also in Windows Settings: Applications, Drive Maps, Environment, Files, Folders, Ini files, Registry, and Shortcuts.

In Control Panel settings: Data Sources, Devices, Folder Options, Internet Settings, Local Users and Groups, Network Options, Power Options, Printers, Regional Options, Scheduled Tasks, Start Menu.

Drive Map UI screen

Now right-click on Drive Maps and select ‘new’. You will see the dialog below: these drop down menus allow you to configure what you’ve been scripting, and more, in UI.

Here, I just filled in a couple things, the location (\\server\Users\%logonuser%) , the label (“User”), and the drive letter to use (“U:\”).

And to see what that Preference item looks like in XML, just click this icon:

I’ll go into the XML part of GP Preferences in another post.

If you’d like to target this drive mapping to be more specific, go to the Common Tab and click on ‘Item-level Targeting’. This is where you can make your targeting really granular: you have 29 different filtering options…what the computer is named, what day it is, what IP range the machine is on, what type of music the user is listening to (ok, that was a joke. I don’t know how you would do that). This also includes some old favorites (WMI Query, MSI Query, LDAP Query) along with new ones (Battery Present, Language, Operating System).

Now check it out in the reporting:

The reporting is precise, clear, and findable. That’s more than what you’d get from a logon script that mapped the same drive. I think I have proved my point. Now go – explore GP Preferences! Map drives! Create shortcuts, folders, and scheduled tasks!

Get GP Preferences (and read more) here

Get more tips on how to use GP Preferences here

Hope this helps,

Lilia Gutnik,

Group Policy PM

Title: GP Preferences Will Reduce Logon Scripts : Mapping Drives
Author: GPTeam
Publication Date: 2/11/2009 9:33:50 PM

Feed Title: Group Policy Team Blog
Feed URL:

Microsoft Blogger Releases “Windows Image to Virtual Hard Disk Converter” (WIM2VHD) for Windows 7 February 6, 2009

Posted by Jim Locke in Tools.
add a comment

Looks like a great way to try out WIndows 7!

Microsoft MSDN Blogger, Mike Kolitz, has released his Windows Image to Virtual Hard Disk Converter (WIM2VHD) – a command-line tool that allows you to create sysprepped VHD images from any Windows 7 installation source. VHDs created by WIM2VHD will boot directly to the Out Of Box Experience, ready for your first-use customizations. You can also automate the OOBE by supplying your own unattend.xml file.
Click Here for All Free Windows 7 Software & Resources

Title: Microsoft Blogger Releases “Windows Image to Virtual Hard Disk Converter” (WIM2VHD) for Windows 7
Link: http://bhandler.spaces.live.com/Blog/cns!70F64BC910C9F7F3!5245.entry
Publication Date: 2/6/2009 1:11:13 PM

Feed Title: The Road to Know Where
Feed URL: http://bhandler.spaces.live.com/feed.rss