How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?

How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?

  • Comments 14
  • Likes

 [Today's post comes to us courtesy of Shawn Sullivan and Rituraj Choudhary]

Today’s post discusses the certificate distribution package on SBS 2008. The SBS 2008 self-signed SSL certificate that is installed in IIS 7 is a leaf certificate; meaning that the Issued to and Issued by names are not the same. Unlike SBS 2003, Certificate Services is installed as part of setup and a root Certificate Authority (CA) certificate is created to validate the server. If a client machine or mobile device trusts the SBS root CA certificate, it will trust any leaf certificate the CA issues. Therefore, if you change your external domain name and create a new self-signed SSL certificate through the Internet Address Management Wizard (IAMW), these clients and mobile devices will not have to install any new certificates into their stores. Here is an example of the SBS 2008 self-signed certificate:

clip_image002

Because we are now using a CA to assign our self-signed certificate, the distribution process has changed. Unlike the self-signed SSL certificate in SBS 2003, clients can no longer download and install the certificate when browsing RWW or OWA to trust it. To ease the process of certificate distribution to clients and mobile devices, a certificate installation package is created and shared on the server when you run the Internet Management Address Wizard (IAMW). Each time you run the IAMW, this certificate package is updated. It is accessible from the following paths:

  • Local Disk: c:\users\Public\Public Downloads
  • UNC: \\servername\Public\Public Downloads
  • UNC: \\sites\Public\Public Downloads

clip_image004

The package contains both the root certificate and the InstallCertificate.exe application. Users can download either the compressed or uncompressed version of the package to a USB key, floppy, or CD ROM from the UNC path to install on their machines at home. The following is an example of a root certificate in this package:

clip_image006

Installing the Package

InstallCertificate.exe will install the certificate into the machine’s Trusted Root Certification Authority store when you select Install the certificate on my computer. You must be running Vista or XP SP2 or later.

clip_image008

If installing on a mobile device, it must be running Windows Mobile 6 or later. You must connect the device to a machine running either ActiveSync or Windows Mobile Device Center. The certificate will be copied to the device’s root drive and then installed natively by the Windows Mobile OS.

Domain joined clients do not need to install this package; they will already have this certificate in their trusted store.

The root CA certificate is valid for 5 years and the leaf certificates are valid for 2 years. Upon expiration, run the Fix My Network Wizard in the SBS Console to renew them.

**This package is not used if you have installed a 3rd party certificate from a trusted certificate authority using the Add a trusted certificate wizard**

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • Can the CA create a UCC cert with multiple domains or wildcard cert?

  • This is was helpful, thanks.

    I have a few questions tho...creating a self-signed certificate from within the IIS Manager, makes the certificate useful only within the SBS domain...is that correct?

    And, if i change my external domain name, create a new self-signed cert, why is it that i don't have to install it on client PCs/mobile devices.

    Finally, if I use a trusted cert, how should i deploy it to client PCs/mobile devices. Can I use the installer tool for the trusted cert?

    ~A

  • PingBack from http://www.ditii.com/2008/09/30/sbs-2008-distribute-self-signed-ssl-certificate-to-users/

  • SLC,

    The CA that is installed on SBS 2008 can issue both wildcard certificates and certificates with multiple subject alternative names.  In fact, the certificate that is created by the Internet Address Management Wizard and issued by the CA has 3 SANs by default.

  • Aristarkhos,

    The self-signed certificate created in the IIS manager 7 by running the "Create Self-Signed Certificate" wizard does not include your external fully qualified domain name, only the internal FQDN of your server, so this is not the certificate you should be using from the internet.  You need to create your certificate by running the Internet Address Management Wizard (IAMW) or purchase a trusted 3rd party certificate.

    When you change your external domain name with the IAMW, you are only changing the leaf certificate, not the CA certificate. Clients that have the CA certifcate installed into their trusted store (via the certificate distribution package) will trust the new leaf certificate automatically.

    On the third question, trusted certificates are issued by publicly trusted CAs.  You do not need to install these kinds of certificates on your PCs or mobile devices.

  • Since there are more mobile 5 devices in current use than mobile 6, it is interesting that you didn't mention support for mobile 5, or will SBS 2008 no longer support mobile 5.

  • SBS 2008 supports synching with Windows Mobile 5.0, but you must install the certificate manually (Same as SBS 2003) on the device.  

  • So, you're happy that OWA (WOW Fact #1) and RWW (WOW Fact #2) are improved in SBS 2008. But, now

  • I am having the hardest time with this, I don't have the InstallCertificate.exe files. my Public Downloads folder was deleted (not knowing I needed it).

    I have looked through the log but I can't see where its placing it anywhere else, I found the InstallCertificate.exe program but where is the cert file that it needs? does it need any other files? how do I restore this functionality.

  • Hi Chase,

    Open IE on the server and go to Internet Options > Content > Certificates and export the SBS root CA certificate.  Recreate the Public Downloads directory manually (make sure it is shared)and copy in the certficate file and the InstallCertificate.exe.

    I assume that you have found a copy of InstallCertificate.exe in the %programfiles%\Windows Small Business Server\bin directory.  If this file had been missing also, then you could retrieve this through backup, from another SBS 2008 server, or you could use imagex to mount the install.wim from the SBS DVD and copy it from there:

    http://technet.microsoft.com/en-us/library/cc748966.aspx

  • For those of us still with Windows Mobile 5 PDA's like Verizons XV6700 where we have to manually install the certificate, could you point me (us) to a step-by-step for doing that?

  • Hi Richard,

    Check out the section titled "Option A: Configure a Self-Signed Certificate".  This explains the "how to" for installing the SBS 2003 cert onto a Mobile 5 device, but the steps are identical for SBS 2008 certs.

    http://technet.microsoft.com/en-us/library/cc747512.aspx

  • [Today's post comes to us courtesy of Ed Walters, Shawn Sullivan, and Justin Crosby] Today we finish

  • [Today's post comes to us courtesy of Rituraj Choudhary and Shawn Sullivan] After the completion of SBS