Welcome to TechNet Blogs Sign in | Join | Help

The Official SBS Blog

The official blog for Small Business Server (SBS) support and product group communications.

News

  • Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?

 [Today's post comes to us courtesy of Shawn Sullivan and Rituraj Choudhary]

Today’s post discusses the certificate distribution package on SBS 2008. The SBS 2008 self-signed SSL certificate that is installed in IIS 7 is a leaf certificate; meaning that the Issued to and Issued by names are not the same. Unlike SBS 2003, Certificate Services is installed as part of setup and a root Certificate Authority (CA) certificate is created to validate the server. If a client machine or mobile device trusts the SBS root CA certificate, it will trust any leaf certificate the CA issues. Therefore, if you change your external domain name and create a new self-signed SSL certificate through the Internet Address Management Wizard (IAMW), these clients and mobile devices will not have to install any new certificates into their stores. Here is an example of the SBS 2008 self-signed certificate:

clip_image002

Because we are now using a CA to assign our self-signed certificate, the distribution process has changed. Unlike the self-signed SSL certificate in SBS 2003, clients can no longer download and install the certificate when browsing RWW or OWA to trust it. To ease the process of certificate distribution to clients and mobile devices, a certificate installation package is created and shared on the server when you run the Internet Management Address Wizard (IAMW). Each time you run the IAMW, this certificate package is updated. It is accessible from the following paths:

clip_image004

The package contains both the root certificate and the InstallCertificate.exe application. Users can download either the compressed or uncompressed version of the package to a USB key, floppy, or CD ROM from the UNC path to install on their machines at home. The following is an example of a root certificate in this package:

clip_image006

Installing the Package

InstallCertificate.exe will install the certificate into the machine’s Trusted Root Certification Authority store when you select Install the certificate on my computer. You must be running Vista or XP SP2 or later.

clip_image008

If installing on a mobile device, it must be running Windows Mobile 6 or later. You must connect the device to a machine running either ActiveSync or Windows Mobile Device Center. The certificate will be copied to the device’s root drive and then installed natively by the Windows Mobile OS.

Domain joined clients do not need to install this package; they will already have this certificate in their trusted store.

The root CA certificate is valid for 5 years and the leaf certificates are valid for 2 years. Upon expiration, run the Fix My Network Wizard in the SBS Console to renew them.

**This package is not used if you have installed a 3rd party certificate from a trusted certificate authority using the Add a trusted certificate wizard**

Posted: Tuesday, September 30, 2008 8:00 AM by SBS Bloggers

Comments

SLC said:

Can the CA create a UCC cert with multiple domains or wildcard cert?

# September 30, 2008 6:52 PM

Aristarkhos said:

This is was helpful, thanks.

I have a few questions tho...creating a self-signed certificate from within the IIS Manager, makes the certificate useful only within the SBS domain...is that correct?

And, if i change my external domain name, create a new self-signed cert, why is it that i don't have to install it on client PCs/mobile devices.

Finally, if I use a trusted cert, how should i deploy it to client PCs/mobile devices. Can I use the installer tool for the trusted cert?

~A

# October 1, 2008 2:39 AM

SBS 2008: Distribute self-signed SSL Certificate to users said:

PingBack from http://www.ditii.com/2008/09/30/sbs-2008-distribute-self-signed-ssl-certificate-to-users/

# October 1, 2008 3:39 AM

SBS Bloggers said:

SLC,

The CA that is installed on SBS 2008 can issue both wildcard certificates and certificates with multiple subject alternative names.  In fact, the certificate that is created by the Internet Address Management Wizard and issued by the CA has 3 SANs by default.

# October 1, 2008 12:47 PM

SBS Bloggers said:

Aristarkhos,

The self-signed certificate created in the IIS manager 7 by running the "Create Self-Signed Certificate" wizard does not include your external fully qualified domain name, only the internal FQDN of your server, so this is not the certificate you should be using from the internet.  You need to create your certificate by running the Internet Address Management Wizard (IAMW) or purchase a trusted 3rd party certificate.

When you change your external domain name with the IAMW, you are only changing the leaf certificate, not the CA certificate. Clients that have the CA certifcate installed into their trusted store (via the certificate distribution package) will trust the new leaf certificate automatically.

On the third question, trusted certificates are issued by publicly trusted CAs.  You do not need to install these kinds of certificates on your PCs or mobile devices.

# October 1, 2008 1:56 PM

Wayne said:

Since there are more mobile 5 devices in current use than mobile 6, it is interesting that you didn't mention support for mobile 5, or will SBS 2008 no longer support mobile 5.

# October 3, 2008 9:54 AM

SBS Bloggers said:

SBS 2008 supports synching with Windows Mobile 5.0, but you must install the certificate manually (Same as SBS 2003) on the device.  

# October 3, 2008 4:23 PM

KWSupport said:

So, you're happy that OWA (WOW Fact #1) and RWW (WOW Fact #2) are improved in SBS 2008. But, now

# October 10, 2008 2:28 PM

Chase Hansen said:

I am having the hardest time with this, I don't have the InstallCertificate.exe files. my Public Downloads folder was deleted (not knowing I needed it).

I have looked through the log but I can't see where its placing it anywhere else, I found the InstallCertificate.exe program but where is the cert file that it needs? does it need any other files? how do I restore this functionality.

# October 14, 2008 7:12 PM

SBS Bloggers said:

Hi Chase,

Open IE on the server and go to Internet Options > Content > Certificates and export the SBS root CA certificate.  Recreate the Public Downloads directory manually (make sure it is shared)and copy in the certficate file and the InstallCertificate.exe.

I assume that you have found a copy of InstallCertificate.exe in the %programfiles%\Windows Small Business Server\bin directory.  If this file had been missing also, then you could retrieve this through backup, from another SBS 2008 server, or you could use imagex to mount the install.wim from the SBS DVD and copy it from there:

http://technet.microsoft.com/en-us/library/cc748966.aspx

# October 15, 2008 5:13 PM

Richard Warren said:

For those of us still with Windows Mobile 5 PDA's like Verizons XV6700 where we have to manually install the certificate, could you point me (us) to a step-by-step for doing that?

# October 16, 2008 4:08 PM

SBS Bloggers said:

Hi Richard,

Check out the section titled "Option A: Configure a Self-Signed Certificate".  This explains the "how to" for installing the SBS 2003 cert onto a Mobile 5 device, but the steps are identical for SBS 2008 certs.

http://technet.microsoft.com/en-us/library/cc747512.aspx

# October 17, 2008 11:45 AM

The Official SBS Blog said:

[Today's post comes to us courtesy of Ed Walters, Shawn Sullivan, and Justin Crosby] Today we finish

# October 17, 2008 11:49 AM

The Official SBS Blog said:

[Today's post comes to us courtesy of Rituraj Choudhary and Shawn Sullivan] After the completion of SBS

# December 4, 2008 1:51 PM
New Comments to this post are disabled
Page view tracker