Table of Contents

Windows SSL Certificates

See also: Exchange Server SSL Certificates

:!: SBS is a special case. You can use cheap, fast certificates for Microsoft Small Business Server.

:!: For Exchange or other needs, you will need a SAN/UC certificate supporting multiple host names.

MS Exchange: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/

Using MMC

http://www.dart.com/help/ptsslnet/SecureMMC.html

https://www.geocerts.com/support/migrate_iis

Start → certlm.msc

or

Start → mmc.exe → File → Add/Remove Snap-in → Certificates → Computer Account → Local Computer

:!: Import and export in PFX format.

:!: When importing, choose Mark this key as exportable.

:!: Use the Certificates → Personal folder.

:!: Select the include all certificates in the certification path if possible checkbox when exporting.

:!: Select Export Private Key to include the private key in the exported file.

Self Signed

http://www.netometer.com/video/tutorials/How-to-Generate-Self-Signed-Multiple-Domain-UCC-New-Exchange-certificate-in-Exchange-2010/

http://www.unixwiz.net/techtips/deploy-webcert-gp.html

http://technet.microsoft.com/en-us/library/cc753127%28v=ws.10%29.aspx

:!: Export the self-signed cert as a .pfx file to a shared location the domain controller can see.

EMS Command to generate new self-signed multiple domain (SAN) certificate (adjust as needed):

New-ExchangeCertificate -SubjectName "c=US, o=NetoMeter, cn=mail.netometer.com" -DomainName mail.netometer.com, autodiscover.netometer.com -IncludeServerFQDN -IncludeServerNetBIOSname -PrivateKeyExportable $true -FriendlyName UCC-SelfSigned -Services none

To trust a self-signed certificate on the AD domain, publish it via Group Policy:

gpmc.msc → edit Default Domain Policy

Computer Configuration → Windows Settings → Security Settings → Public Key Policies

Right-click Trusted Root Certification Authorities → Import

Force Group Policy update on the local machine:

gpupdate /force

Force AD “push” replication (case sensitive):

repadmin /syncall /AeP

Microsoft SBS Remote Web Access

With newer versions of Small Business Server (SBS), Microsoft forces the use of SSL for Remote Web Access, which is OK…SSL is a great technology that's been around for a long time and it's quite secure.

We tell our SBS customers that they need a trusted SSL cert because it will absolutely reduce problems and support calls by RWA users.

All you really need is a single SSL cert for “remote.yourexternaldomain.com”. That solves the problem for Remote Web Access.

If you want to be able to use SSL on your web site, mail server, etc., you might want a wildcard cert to minimize certificate installation, tracking and renewal issues.