Solution
This tutorial will be given in 3 parts. All parts must be completed, but you may find that either Part I and/or Part II may already be completed depending on your security settings and the version of your Windows Server. If the certificate installation is a renewal of an already existing QuoVadis certificate, you may not need to do Parts I and II as you should already have installed the certificates previously. The intermediate files must also be installed to ensure that some browsers do not show a certificate error.
This KB article assumes that you have already created a CSR and it is in process in the Windows Small Server console. If this is not the case, then the install may not work.
Part I - Installing the Intermediate (chaining) Certificate
Part I explains how to install the intermediate files that are required. QuoVadis uses an intermediate certificate that must be installed on the server to prevent errors in certain browsers. You may want to go through these steps and if the intermediate certificate is not installed, then please obtain it and follow through with the rest of Part I. These files have been included in this knowledge base article.
First you must open the Microsoft Management Console.
- Click on Start and then Run.
- In the Run window, type MMC in the Open: field and click on the OK button.
The Console1 window will appear.
- Click on File at the top and then select Add/Remove Snap-in... Alternatively, you can press Ctrl + M.
- In the Add/Remove Snap-in window, click on the Add... button at the bottom. This will open a third window named Add Standalone Snap-in.
- Scroll down in the Add Standalone Snap-in window and find the Certificates component. Once found, highlight it and click on the Add button at the bottom. Alternatively, you can double-click on Certificates.
In a new window, you will be given 3 options for which account you want the certificates snap-in to manage.
- Select the Computer account radio button and click on the Next button.
- At the next screen, click on the Finish button.
- Back in the Add Standalone Snap-in window, click on the Close button.
- Click on the OK button in the Add/Remove Snap-in window.
You should be back in the Console1 window. You will see that the Certificates (Local Computer) has been added on the left hand pane.
- Click on the "+" sign next to Certificates (Local Computer) to expand it.
- Locate and expand the Intermediate Certification Authorities store and then click on the Certificates folder underneath it.
In the right hand pane, you should see a list of certificates. Verify that you have the QuoVadis Global SSL ICA G2 certificate in this list of certificate in the right hand pane. If you do have this certificate in the Intermediate Certification Authorities store, then you can skip to Part II. If you do not, then the next steps will guide you through the process of installing this file.
- Place the certificate in a directory where it can be accessed by the server.
- Right-click on the Certificates folder underneath the Intermediate Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.
- The Certificate Import Wizard will appear. At the welcome screen, click on the Next button.
- You must specify the file to import. Click on the Browse... button and find and select the QuoVadis Global SSL ICA G2 certificate. Once selected, it should appear in the File name: field. Click on the Next button.
- On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Intermediate Certification Authorities. Click on the Next button.
- At the summary screen, click on the Finish button.
You should get a message that reads, "The import was successful."
Part II - Installing the Root Certificates
Generally, your Windows Server should have the QuoVadis Root certificates installed, however there have been cases where they have not been. When you install the SSL certificate, if the root certificate is not present, the system will prompt you to trust it, which will also install it. For Part II, you will be installing the QuoVadis Root Certification Authority and the QuoVadis Root CA 2, which expires 2031. Part II assumes that you currently have the Microsoft Management Console open. If you do not, you can find the instructions in Part I of this guide, steps 1-9.
- Click on the "+" sign next to Certificates (Local Computer) to expand it (if it isn't already expanded).
- Locate and expand the Trusted Root Certification Authorities store and the click on the Certificates folder underneath it.
In the right hand pane, you should see a list of certificates. Click on any certificate that you see and press the letter "Q" on your keyboard to fast-track to the QuoVadis root certificates. Verify that you have the QuoVadis Root CA 2 certificate in this list of certificates in the right hand pane. If you see the QuoVadis Root CA 2 certificate, please make sure that the expiry date of this certificate is 2031 and not 2017. If the certificate is present, then your website should not show any trust errors then you can skip to Part III. If you do not see this certificate in the Trusted Root Certification Authorities store, then the next steps will guide you through the process of installing this file.
- Place the certificate in a directory where it can be accessed by the server.
- Right-click on the Certificates folder underneath the Trusted Root Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.
- The Certificate Import Wizard will appear. At the welcome screen, click on the Next button.
- You must specify the file to import. Click on the Browse... button and find and select the QuoVadis Root CA 2 certificate. Once selected, it should appear in the File name: field. Click on the Next button.
- On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Trusted Root Certification Authorities. Click on the Next button.
- At the summary screen, click on the Finish button.
You should get a message that reads, "The import was successful."
Part III - Installing the Certificate
Part III explains how to install the SSL certificate.
- Obtain your certificate from QuoVadis and ensure that it is in PEM format. By default, Trust/Link provides you certificates in PEM format.
Note: Although Small Business Server will accept certificates in DER format, PEM is much easier to work with.
- Open up the Windows Small Business Server console.
- Click on the Network section at the top and then select the Connectivity tab.
- Underneath Connectivity Tasks on the right-hand side, click on Add a trusted certificate.
- The Add a Trusted Certificate wizard will appear. Click on the Next button.
- On the A request is in progress page, select the I have a certificate from my certificate provider radio button and click on the Next button.
- The Import the trusted certificate page will appear. Choose one of the following options to import your certificate:
- Open the certificate you received in PEM format using Notepad.
In the Trusted Certificate text input field, paste in the contents of your certificate. You must include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.
Note: A PEM encoded certificate opened in Notepad (or similar text editor) will contain alphanumeric characters and the BEGIN and END tags as shown above. If you noticed that Notepad contains strange symbols that are not alphanumeric, then your certificate is not in PEM format.
- You can also simply click on the Browse... button and navigate to the certificate file. This option should accept PEM or DER certificates.
- When you have input the certificate, click on the Next button.
- On The trusted certificate is imported successfully page, click on the Finish button.
OCSP Stapling Support
Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website.
Windows Server 2008 automatically utilizes OCSP Stapling by default. No additional configuration is required.
You can read up on more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp-stapling.aspx.