Certificates in Windows Essential Business Server
Windows EBS installs the Active Directory Certificate Services server role on the Management Server. This creates a single-tier enterprise public key infrastructure (PKI) hierarchy with a certification authority that is specific to the Windows EBS domain. This private certification authority issues self-signed certificates that are used by default by Forefront TMG for publishing secure Web sites such as Outlook Web Access and Remote Web Workplace.
Note
The PKI in Windows EBS is always installed and is used by default for secure remote access to Windows EBS, even if your environment contains other PKI hierarchies. The existing PKI hierarchies coexist with the PKI in Windows EBS. You may also install a public certificate from a trusted certificate issuer for remote connections to Windows EBS.
The following table lists the settings of the private certification authority that is installed on the Management Server.
| Certification Authority Setting | Value |
|---|---|
Validity period |
10 years |
Cryptographic service provider |
Microsoft Strong Cryptographic Provider |
Key length |
4096 bits (RSA) |
Hash algorithm |
SHA-1 |
Certificates issued from the certification authority in Windows Essential Business Server
The certification authority in Windows EBS issues the following secure sockets layer (SSL) certificates:
Security Server certificate: This certificate is used by default by Forefront TMG for secure Web publishing of Outlook Web Access, Microsoft Exchange Outlook Anywhere and Terminal Services Gateway (RPC over HTTPS), Microsoft Exchange Active Sync, and Remote Web Workplace.
Messaging Server certificate: This certificate is used by default for SSL connections from SSL-enabled Internet browsers to Web sites and services that are published on the Messaging Server, including Outlook Web Access, Microsoft Exchange Outlook Anywhere and Terminal Services Gateway (RPC over HTTPS), Microsoft Exchange Active Sync, and Remote Web Workplace.
Each certificate expires two years after it is issued.
For information about renewing certificates that are issued by the certification authority in Windows EBS, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=128035).
Security certificate on client computers
The certification authority in Windows EBS is not a publicly trusted certification authority. Therefore, certificates that are issued by the certification authority in Windows EBS are not trusted by default by external clients (that connect by using the Internet). Remote users who attempt SSL connections to secure Web sites in Windows EBS receive warning messages.
To allow remote users to make SSL connections to Remote Web Workplace or other secure Web sites or services in Windows EBS, the Windows EBS self-signed security certificate must be installed on their remote computers. An installation package for the self-signed security certificate is provided in Windows EBS.
For information about installing the self-signed security certificate on a remote computer, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=121562).
Public certificates
As an additional security measure, it is recommended that you obtain a public certificate for use in remote access to Windows EBS. A public certificate from a trusted certificate issuer is trusted automatically by SSL-enabled Web browsers. You can use an existing wildcard certificate for this purpose, or you can purchase and install a separate public certificate.It is recommended that you use a public certificate with a public key of at least 1024 bits (RSA).
To use a public certificate to publish secure Web sites such as Remote Web Workplace, you must add the certificate to the external Web listener that is used in Forefront TMG.
For information about adding a certificate to a Web listener, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=120392).