====== Windows SSL Certificates ======

See also: **[[internet:mail:exchange:exchange_ssl|Exchange Server SSL Certificates]]**

:!: SBS is a special case.  You can use cheap, fast certificates for Microsoft Small Business Server.

:!: For **Exchange** or other needs, you will need a **SAN/UC certificate** supporting multiple host names.

**MS Exchange**: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/

===== Using MMC =====

http://www.dart.com/help/ptsslnet/SecureMMC.html

https://www.geocerts.com/support/migrate_iis

**Start -> certlm.msc**

or

**Start -> mmc.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer Account -> Local Computer**

:!: Import and export in **PFX** format.

:!: When importing, choose **Mark this key as exportable**.

:!: Use the **Certificates -> Personal** folder.

:!: Select the **include all certificates in the certification path if possible** checkbox when exporting.

:!: Select **Export Private Key** to include the private key in the exported file.

===== Self Signed =====

http://www.netometer.com/video/tutorials/How-to-Generate-Self-Signed-Multiple-Domain-UCC-New-Exchange-certificate-in-Exchange-2010/

http://www.unixwiz.net/techtips/deploy-webcert-gp.html

http://technet.microsoft.com/en-us/library/cc753127%28v=ws.10%29.aspx

:!: Export the self-signed cert as a .pfx file to a shared location the domain controller can see.

EMS Command to generate new self-signed multiple domain (SAN) certificate (adjust as needed):

<file>
New-ExchangeCertificate -SubjectName "c=US, o=NetoMeter, cn=mail.netometer.com" -DomainName mail.netometer.com, autodiscover.netometer.com -IncludeServerFQDN -IncludeServerNetBIOSname -PrivateKeyExportable $true -FriendlyName UCC-SelfSigned -Services none
</file>

To trust a self-signed certificate on the AD domain, publish it via Group Policy:

**gpmc.msc -> edit Default Domain Policy**

**Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies**

Right-click **Trusted Root Certification Authorities -> Import**

Force Group Policy update on the local machine:

<file>
gpupdate /force
</file>

Force AD "push" replication (case sensitive):

<file>
repadmin /syncall /AeP
</file>

===== Microsoft SBS Remote Web Access =====

With newer versions of Small Business Server (SBS), Microsoft forces the use of SSL for Remote Web Access, which is OK...SSL is a great technology that's been around for a long time and it's quite secure.

We tell our SBS customers that they need a trusted SSL cert because it will absolutely reduce problems and support calls by RWA users.

All you really need is a single SSL cert for "remote.yourexternaldomain.com".  That solves the problem for Remote Web Access.

If you want to be able to use SSL on your web site, mail server, etc., you might want a wildcard cert to minimize certificate installation, tracking and renewal issues.