Updating the Wildcard Certificate
Creating the Certificate Request
- Remote into bt-az-exch01
- Open IIS
- Complete the onscreen prompts
Generating the New Certificate
- Open SSL Manager on bt-az-exch01
- Make sure the account is logged in using the account details in 1Password
- Right click the existing SSL certificate in SSL Manager
- Click Generate CSR
- Tick Add optional fields
- Organization = Brandon Trust
- Department = Digital Services
- City = Bristol
- Country = United Kingdom
- Click Generate CSR
- Click Send to SSL.com
- Use existing order number (co-f51jc5sn8e5 at time of writing, otherwise confirm in SSL.com)
- Fill in first name, last name, email address, phone number, country
- Click Place Order
- Right click the Pending Certificate Request
- Click install Certificate
- Open Local Computer Certificates
- Expand Personal | Certificates
- Right click the new certificate (usually denoted by the expiry date)
- All Tasks | Export
- Follow the prompts and select “Yes, export the private key”
- Set a password
- Select the file name to output
- Click Finish
You should now have a pfx file in the location that you specified.
Where does the certificate need to be installed and/or configured?
Locations
VM Name
Function
BT-AZ-EXCH01
Exchange backend website
AZ-OA-01
Unauthenticated Email Relay
AZ-OA-HOST
RDS Session Host Cert
BT-AZ-VPN01
VPN Security
BT-AZ-WC
UniFi HTTPS certificate
Azure Locations
Name
Type
Function
app-scepman-zyzamow3w6j4u
App Service
Provides certificates to devices for always-on-VPN
brandonfrontdoor
Azure Front Door
Provides automatic forwarding of custom domains to new locations
Adding and Configuring the Certificate
BT-AZ-EXCH01
- Double click the pfx file generated in the previous steps
- Install to local machine | personal
- Open IIS
- Expand the server and sites
- Right click Default web site, click Edit Bindings
- Double click anything with the type https
- If the certificate looks like the wildcard (i.e. has *.brandontrust.org on it) change the SSL certificate to the new certificate (use View to confirm the correct cert)
- Once done, click the server name
- Click restart on the right
AZ-OA-01
- Double click the pfx file generated in the previous steps
- Install to local machine | personal
- Open IIS version 6.0 < This is important
- Click the server name
- Right click SMTP Virtual Server #1 | Properties
- Click Access
- Confirm that the secure communication date is the new expiry date on the cert
- Click OK
AZ-OA-HOST
- Double click the pfx file generated in the previous steps
- Install to local machine | personal
- Open Remote Desktop Gateway Manager
- Right click the server name | properties
- Click SSL Certificate
- Click Import Certificate
- Select the certificate with the new expiry date
- Click Import
- Click OK
- Click Yes (this will terminate active connections, best done out of hours)
BT-AZ-VPN01
- Double click the pfx file generated in the previous steps
- Install to local machine | personal
- Open routing and remote access
- Right click the server name, click properties
- Click security
- Under SSL Certificate Binding, select the new certificate (Click view to confirm you have selected the right one)
- Click OK
- Click Yes (note this will kick everyone off of the VPN – not a bad idea to do this out of hours)
BT-AZ-WC
- Copy the pfx file to C:\BT
- Open keystore explorer
- Click Open an existing keystore
- Change “Files of Type” to all files
- Navigate to C:\ProgramData\Ubiquiti UniFi\Data and select keystore
- Click Open
- For the password type “aircontrolenterprise” and press OK
- Click Tools | Import Key Pair
- Select PKCS #12 and Click OK
- Click Browse and select the pfx file you copied over
- Add the decryption password
- Add the Alias “unifi”
- Click Yes
- Enter the password “aircontrolenterprise” and confirm it
- Click OK
- Click File | Save then close keystore explorer
- Restart the Unifi Network Server Service
- Visit https://unifi.brandontrust.org:8443 on your computer
- Ensure you reach a login screen
- Confirm on the address bar that the certificate is showing the new expiry date
app-scepman-zyzamow3w6j4u
- Go to app-scepman-zyzamow3w6j4u - Microsoft Azure
- Click Certificates (under Settings)
- Click Bring your own certificates (.pfx)
- Click Add certificate
- Select upload certificate
- Select the pfx file
- Type the password you added to the certificate when exporting
- Give the certificate a friendly name (I chose Brandon-Wildcard-2025)
- Click Validate
- If all is good, click Add
- Click Custom Domains (under settings)
- Tick scepman.brandontrust.org
- Click the three dots on the right
- Click update binding
- Choose your new certificate
- Click Update
brandonfrontdoor
- Go to KVY-Brandon - Microsoft Azure
- Click Certificates (under Objects)
- Click Generate/Import
- Change Method of Certificate Creation to “Import”
- Give the certificate a friendly name
- Click to upload the certificate, provide the password and click create
- Go to brandonfrontdoor - Microsoft Azure
- Click Secrets (Under Security)
- Click Add Certificate
- Expand KVY-Brandon
- Tick the new certificate you just imported
- Click Add
- Once finished, click Domains (under Settings)
- Click “Customer Certificate” for each domain
- Select the new secret
- Click Update
- Repeat for all using customer certificate (I recommend opening multiple tabs and doing them in batches as this takes some considerable time)