How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?

  • [アーティクル]

  [Today's post comes to us courtesy of Shawn Sullivan and Rituraj Choudhary]

Today’s post discusses the certificate distribution package on SBS 2008. The SBS 2008 self-signed SSL certificate that is installed in IIS 7 is a leaf certificate; meaning that the Issued to and Issued by names are not the same. Unlike SBS 2003, Certificate Services is installed as part of setup and a root Certificate Authority (CA) certificate is created to validate the server. If a client machine or mobile device trusts the SBS root CA certificate, it will trust any leaf certificate the CA issues. Therefore, if you change your external domain name and create a new self-signed SSL certificate through the Internet Address Management Wizard (IAMW), these clients and mobile devices will not have to install any new certificates into their stores. Here is an example of the SBS 2008 self-signed certificate:

clip_image002

Because we are now using a CA to assign our self-signed certificate, the distribution process has changed. Unlike the self-signed SSL certificate in SBS 2003, clients can no longer download and install the certificate when browsing RWW or OWA to trust it. To ease the process of certificate distribution to clients and mobile devices, a certificate installation package is created and shared on the server when you run the Internet Management Address Wizard (IAMW). Each time you run the IAMW, this certificate package is updated. It is accessible from the following paths:

  • Local Disk: c:\users\Public\Public Downloads
  • UNC: \\servername\Public\Public Downloads
  • UNC: \\sites\Public\Public Downloads

clip_image004

The package contains both the root certificate and the InstallCertificate.exe application. Users can download either the compressed or uncompressed version of the package to a USB key, floppy, or CD ROM from the UNC path to install on their machines at home. The following is an example of a root certificate in this package:

clip_image006

Installing the Package

InstallCertificate.exe will install the certificate into the machine’s Trusted Root Certification Authority store when you select Install the certificate on my computer . You must be running Vista or XP SP2 or later.

clip_image008

If installing on a mobile device, it must be running Windows Mobile 6 or later. You must connect the device to a machine running either ActiveSync or Windows Mobile Device Center. The certificate will be copied to the device’s root drive and then installed natively by the Windows Mobile OS.

Domain joined clients do not need to install this package; they will already have this certificate in their trusted store.

The root CA certificate is valid for 5 years and the leaf certificates are valid for 2 years. Upon expiration, run the Fix My Network Wizard in the SBS Console to renew them.

**This package is not used if you have installed a 3rd party certificate from a trusted certificate authority using the Add a trusted certificate wizard**

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://www.ditii.com/2008/09/30/sbs-2008-distribute-self-signed-ssl-certificate-to-users/

  • Anonymous
    January 01, 2003
    Hi Chase, Open IE on the server and go to Internet Options > Content > Certificates and export the SBS root CA certificate.  Recreate the Public Downloads directory manually (make sure it is shared)and copy in the certficate file and the InstallCertificate.exe. I assume that you have found a copy of InstallCertificate.exe in the %programfiles%Windows Small Business Serverbin directory.  If this file had been missing also, then you could retrieve this through backup, from another SBS 2008 server, or you could use imagex to mount the install.wim from the SBS DVD and copy it from there: http://technet.microsoft.com/en-us/library/cc748966.aspx

  • Anonymous
    January 01, 2003
    So, you're happy that OWA (WOW Fact #1) and RWW (WOW Fact #2) are improved in SBS 2008. But, now

  • Anonymous
    January 01, 2003
    [Today's post comes to us courtesy of Rituraj Choudhary and Shawn Sullivan] After the completion of SBS

  • Anonymous
    January 01, 2003
    SBS 2008 supports synching with Windows Mobile 5.0, but you must install the certificate manually (Same as SBS 2003) on the device.  

  • Anonymous
    January 01, 2003
    [Today's post comes to us courtesy of Ed Walters, Shawn Sullivan, and Justin Crosby] Today we finish

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    SLC, The CA that is installed on SBS 2008 can issue both wildcard certificates and certificates with multiple subject alternative names.  In fact, the certificate that is created by the Internet Address Management Wizard and issued by the CA has 3 SANs by default.

  • Anonymous
    January 01, 2003
    Aristarkhos, The self-signed certificate created in the IIS manager 7 by running the "Create Self-Signed Certificate" wizard does not include your external fully qualified domain name, only the internal FQDN of your server, so this is not the certificate you should be using from the internet.  You need to create your certificate by running the Internet Address Management Wizard (IAMW) or purchase a trusted 3rd party certificate. When you change your external domain name with the IAMW, you are only changing the leaf certificate, not the CA certificate. Clients that have the CA certifcate installed into their trusted store (via the certificate distribution package) will trust the new leaf certificate automatically. On the third question, trusted certificates are issued by publicly trusted CAs.  You do not need to install these kinds of certificates on your PCs or mobile devices.

  • Anonymous
    September 30, 2008
    Can the CA create a UCC cert with multiple domains or wildcard cert?

  • Anonymous
    October 01, 2008
    This is was helpful, thanks. I have a few questions tho...creating a self-signed certificate from within the IIS Manager, makes the certificate useful only within the SBS domain...is that correct? And, if i change my external domain name, create a new self-signed cert, why is it that i don't have to install it on client PCs/mobile devices. Finally, if I use a trusted cert, how should i deploy it to client PCs/mobile devices. Can I use the installer tool for the trusted cert? ~A

  • Anonymous
    October 03, 2008
    Since there are more mobile 5 devices in current use than mobile 6, it is interesting that you didn't mention support for mobile 5, or will SBS 2008 no longer support mobile 5.

  • Anonymous
    October 14, 2008
    I am having the hardest time with this, I don't have the InstallCertificate.exe files. my Public Downloads folder was deleted (not knowing I needed it). I have looked through the log but I can't see where its placing it anywhere else, I found the InstallCertificate.exe program but where is the cert file that it needs? does it need any other files? how do I restore this functionality.

  • Anonymous
    October 16, 2008
    For those of us still with Windows Mobile 5 PDA's like Verizons XV6700 where we have to manually install the certificate, could you point me (us) to a step-by-step for doing that?

  • Anonymous
    December 01, 2015
    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets. http://movieboxappdownloads.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment it doesn't charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on 'Obscure sources'.

  • Anonymous
    January 28, 2016
    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?

    http://www.movieboxapkdownload.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.





    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?

    http://www.aptoideapkdownload.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble.

    http://www.vidmatedownloadapk.com/

    Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.

    http://www.shareitforpccdownload.com/

    http://www.shareitforpccdownload.com/shareit-for-pc-windows-10-8-1-7-mac-free-download/

    SHAREit for PC lets you transfer files between devices like phones, tablets and computers. With the wide area of sharing compatibility, sharing across anything is easy now. This is the best and the fastest alternative for USB sharing.

  • Anonymous
    January 28, 2016
    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?

    http://www.movieboxapkdownload.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.





    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?

    http://www.aptoideapkdownload.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble.

    http://www.vidmatedownloadapk.com/

    Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.

    http://www.shareitforpccdownload.com/

    http://www.shareitforpccdownload.com/shareit-for-pc-windows-10-8-1-7-mac-free-download/

    SHAREit for PC lets you transfer files between devices like phones, tablets and computers. With the wide area of sharing compatibility, sharing across anything is easy now. This is the best and the fastest alternative for USB sharing.