User Tools
Table of Contents
Windows SSL Certificates
See also: Exchange Server SSL Certificates
SBS is a special case. You can use cheap, fast certificates for Microsoft Small Business Server.
For Exchange or other needs, you will need a SAN/UC certificate supporting multiple host names.
MS Exchange: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/
Using MMC
http://www.dart.com/help/ptsslnet/SecureMMC.html
https://www.geocerts.com/support/migrate_iis
Start → certlm.msc
or
Start → mmc.exe → File → Add/Remove Snap-in → Certificates → Computer Account → Local Computer
Import and export in PFX format.
When importing, choose Mark this key as exportable.
Use the Certificates → Personal folder.
Select the include all certificates in the certification path if possible checkbox when exporting.
Select Export Private Key to include the private key in the exported file.
Self Signed
http://www.unixwiz.net/techtips/deploy-webcert-gp.html
http://technet.microsoft.com/en-us/library/cc753127%28v=ws.10%29.aspx
Export the self-signed cert as a .pfx file to a shared location the domain controller can see.
EMS Command to generate new self-signed multiple domain (SAN) certificate (adjust as needed):
New-ExchangeCertificate -SubjectName "c=US, o=NetoMeter, cn=mail.netometer.com" -DomainName mail.netometer.com, autodiscover.netometer.com -IncludeServerFQDN -IncludeServerNetBIOSname -PrivateKeyExportable $true -FriendlyName UCC-SelfSigned -Services none
To trust a self-signed certificate on the AD domain, publish it via Group Policy:
gpmc.msc → edit Default Domain Policy
Computer Configuration → Windows Settings → Security Settings → Public Key Policies
Right-click Trusted Root Certification Authorities → Import
Force Group Policy update on the local machine:
gpupdate /force
Force AD “push” replication (case sensitive):
repadmin /syncall /AeP
Microsoft SBS Remote Web Access
With newer versions of Small Business Server (SBS), Microsoft forces the use of SSL for Remote Web Access, which is OK…SSL is a great technology that's been around for a long time and it's quite secure.
We tell our SBS customers that they need a trusted SSL cert because it will absolutely reduce problems and support calls by RWA users.
All you really need is a single SSL cert for “remote.yourexternaldomain.com”. That solves the problem for Remote Web Access.
If you want to be able to use SSL on your web site, mail server, etc., you might want a wildcard cert to minimize certificate installation, tracking and renewal issues.
