Saturday 16 May 2009

SBS 2008 and the Self-Issued Certificate

When it comes to SSL certificates, the new certificate structure in SBS 2008 makes things a bit more difficult for the network admin.

To get things to work for our remote users, we need to get a certificate distribution package out to them:


For users that work in the office on occasion, this is not such a bad thing other than needing to coordinate getting the certificate to them so that their productivity is not impacted.

For those that work remotely all of the time, the worst thing we can do is to teach them to click through this warning:


For many of us that got our users used to passing through this warning on our SBS 2003 RWW self-issued certificate, this may have come back to bite us in the form of a compromised system as the user did not stop to think about clicking through a certificate warning at a “banking” site they went to via an e-mail.

If we try and connect to a system via HTTPS/RDP using the SBS TS Gateway service or via RWW, we get the following warning after a short pause:


To install the SBS self-issued certificate, double click on the InstallCertificate executable and:


Choose the destination for the certificate. In this case, we are installing the certificate on a laptop we use to manage client systems with. The third party certificate is not ready yet and we need to continue the SBS 2003 to SBS 2008 migration setup.

On this Windows 7 based laptop, a UAC prompt happened at the beginning of the certificate install.

Once installed, we were able to open the Remote Web Workplace on our new SBS 2008 box and log onto the server’s desktop via RDP to discover that our Exchange Mailbox move process had completed 100% successfully! :)

NOTE: It is not a good practice to place the certificate distribution package on a Web site or other public location for “ease” of distribution. The best and only method for distributing the SBS self-issued certificate is via USB flash drive.

Once the user has installed the certificate on their machine, they should delete the files from the flash drive.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

No comments: