How to reinstall the Certification Authority role

Updated: March 25, 2009

Applies To: Windows SBS 2008

Problem   You receive an “invalid certificate” error message, when you try to use Remote Web Workplace, when you run the Internet Address Management Wizard, or when you run the Fix My Network Wizard.

Features affected   During Windows SBS installation, in the answer file, if the property name for CANameOverride is the same as the domain name for remote access, the Internet Address Management Wizard does not create the certificate. This is because it is impossible to create a leaf certificate with the same name as the CA Name. When you run any feature that uses a self-signed certificate, such as Remote Web Workplace, Outlook Web Access, Terminal Services Gateway, the Internet Address Management Wizard, or the Fix My Network Wizard, you receive an “invalid certificate” error message.

Solution   To resolve this issue, do the following:

  1. Remove the Certificate Authority role on your server running Windows SBS 2008.

  2. Reinstall the Certificate Authority role on your server running Windows SBS 2008.

  3. Set the CAName registry key.

  4. Remove the existing certificate installation package and the server certificate.

  5. Run the Fix My Network Wizard to create a new certificate installation package and server certificate.

Note

You must be a network administrator to complete this procedure.

To remove the Certification Authority role

  1. Click Start, click Administrative Tools, and then click Server Manager.

  2. In the User Account Control window, click Continue.

  3. In the Server Manager console, expand Roles, and then click Active Directory Certificate Services.

  4. In the Active Directory Certificate Services details pane, within the Role Services section, click Certification Authority, and then click Remove Role Services. The Remove Role Services Wizard appears.

  5. On the Select Role Services page, clear the Certification Authority check box, and then follow the instructions to complete the wizard.

  6. After the Remove Role Services Wizard is finished, restart the server to complete the uninstall process.

  7. After your server restarts, the Server Manager begins and runs the Resume Configuration Wizard to complete the removal.

  8. To close the Removal Results window, click Close.

Note

The Server Manager is still running at this point.

To install the Certification Authority role

  1. If the Server Manager is not already running, click Start, click Administrative Tools, and then click Server Manager.

  2. On the User Account Control page, click Continue.

  3. In the Server Manager console, right-click Roles, and then click Add Roles. This launches the Add Roles Wizard.

  4. In the Add Roles Wizard, do the following:

    1. On the Select Server Roles page, check Active Directory Certificate Services.

    2. On the Role Services page, select the Certification Authority check box only. Ensure that the Certification Authority Web Enrollment is not selected.

    3. On the Setup Type page, select Enterprise.

    4. On the CA Type page, select Root CA.

    5. On the Private Key page, select Create a new private key, click Next, and then set the following as indicated:

      • For Cryptography, select Microsoft Strong Cryptographic Provider.

      • For Key character length, select 2048.

      • For Algorithm, select sha1.

      • Take note of the CA Name to use later when setting the CAName registry key in the following procedure.

      • For Validity period, select 5 years.

    6. On the Certificate Database page, keep the default settings.

    7. On the Confirmation page, review the settings.

    8. On the Installation Results screen, click Close.

  5. Close Server Manager.

To set the CAName registry key

  1. Click Start, in the Search box type regedit, and then press ENTER.

  2. On the User Account Control page, click Continue.

  3. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Networking.

  4. In the details pane, right-click CAName, click Modify, and then set the Value data to the CA Name that you recorded in step 4e of the previous procedure.

  5. Close Registry Editor.

To delete the certificate installation package and the old certificate

  1. Click Start, in the Search box type \\<ServerName>\public\downloads\, where <ServerName> is the name of your server, and then press ENTER.

  2. Right-click InstallCertificatePackage.zip, and then click Delete.

  3. Close the Windows SBS Console, if it is open.

  4. Click Start, click Administrative Tools, and then click Windows SBS Console (Advanced Mode).

  5. On the User Account Control page, click Continue.

  6. On the navigation bar, click Network, and then click Connectivity.

  7. In the task pane, click Manage certificates.

  8. Navigate to Certificates (Local Computer) \Personal\Certificates, and then delete remote.<Domain>.<tld>, if it exists, where <Domain> is the name of your domain and <tld> is the top level domain (such as .com or .org).

To run the Fix My Network Wizard

  1. Open the Windows SBS Console.

  2. On the navigation bar, click the Network tab, and then click Connectivity.

  3. In the task pane, click Fix My Network.

  4. Follow the instructions in the wizard.