Sat, Dec 3 2005 15:14
Deploying a third party cert
So someone the other day asked me about installing a Certificate authority on a SBS box.... and I argued with them and pointed to the post I had done the other day about self signed certs. So today I realized that all we needed to know about how SBS handled the Certs and where it saved them was in the “More information“ click box inside the Connect to the Internet wizard.....
You'd think I'd learn to read by now wouldn't you....
Web Server Certificate
Several of the Web services require Secure Sockets Layer (SSL) to secure communications between a Web browser and your Web server. For the wizard to configure SSL, you must either have the wizard create a Web server certificate or you must provide a certificate file from a trusted authority.
A certificate is needed to establish identity and create trusts for the secure exchange of information. The certificate must be signed by a certification authority (CA). The wizard can create a certificate signed by your server, or you can obtain your own certificate signed by a commercial CA, such as VeriSign.
- Create a new Web server certificate Click to create a self-signed certificate, and then type the full Internet name of your server that is used to access your server from the Internet.
The certificate expiration period is set to five years. The certificate will also be saved as SBScert.cer in the Clientapps\SBScert folder so that it can be deployed to client computers by the Client Setup Wizard.
- Use a Web server certificate from a trusted authority Click to use a certificate obtained from a trusted authority, and then click Browse to locate the certificate.
If you do not have an existing certificate from a trusted authority, but would like to obtain one, you must create a certificate request using the Web Server Certificate Wizard in Internet Information Services (IIS). To do so, complete the following:
To create a certificate request
Open Server Management.
In the console tree, click Advanced Management, click Internet Information Services, click YourServerName (local computer), and then click the Web Sites folder.
In the details pane, right-click Default Web site, and then click Properties.
On the Default Web Site Properties page, click the Directory Security tab, and under Secure communications, click Server Certificate.
On the Server Certificate page of the IIS Certificate Wizard, click Create a new certificate.
On the Delayed or Immediate Request page, prepare a request to be sent later or immediately as needed.
On the Name and Security Settings page, in Name, type a name for the new certificate. Next, select the appropriate bit length based on your organization's requirement. Verify with the CA that they support certificates of the corresponding encryption strength before submitting the certificate request.
On the Organization Information page, in Organizational Name, type the legal name of your organization. In Organizational unit, type the name of your division of department. If your organization does not have a division, you can type the legal name of your organization.
On the Your Site's Common Name page, type the common name for your site exactly as it appears to the external users, such as
On the Geographic Information page, type the required information.
On the Certificate Request File Name page, type a file name.
On the Request File Summary Page, click Next.
To open Server Management, click Start, and then click Server Management.
Once you have completed the process for obtaining the certificate, the organization will send you the certificate along with instructions for installing the certificate. You must then rerun the Configure E-mail and Internet Connection Wizard to change your Web server certificate settings.
This certificate is not deployed to client computers as is it already a trusted certificate.
If you want users to securely access their Internet e-mail on the server using either Wireless Application Protocol (WAP) 2.x devices or Microsoft Smartphone 2002 or Microsoft Pocket PC Phone Edition 2002 mobile devices, either the server must have a commercial certificate from a trusted CA or you must follow a procedure so the device works with a self-signed certificate that you create. This procedure decreases the security of your mobile device. Therefore, the recommended and more secure method is to use a commercial certificate. For more information, see “Connecting Mobile and Remote Users” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=33539).
The 2003 versions of these mobile devices do not require a commercial CA for the higher level of security. [The Audiovox 5600 will easily accept the self signed certs]
Do not change current Web server certificate Click if you are rerunning the wizard, and you do not want to change the settings specified the last time you ran the wizard.
Filed under: Security, Mobility