Creating, Obtaining, and Installing Trusted Certificates in a Windows SBS 2003 Network Environment

Windows Small Business Server 2003 (Windows SBS 2003) requires a certificate to verify the identity of the server. The certificate also encrypts data over the Internet when a user connects to Remote Web Workplace, uses RPC over HTTP, or connects to the server by using a device that is running Windows Mobile 6 software. The certificate must be signed and issued by your server (self-issued), or it must be signed and issued by a trusted certificate authority (CA).

You can use the Configure E-mail and Internet Connection Wizard (CEICW) that is included with Windows SBS 2003 to create a certificate that is signed by your server, or you can request and purchase a trusted certificate from a commercial CA.

Important

The self-issued certificate that the CEICW creates is valid for five years. Therefore, if you plan to continue using a self-issued certificate, you should create a new certificate before the existing certificate expires. As a best practice, after you create a self-issued certificate, set a reminder in your calendar to notify you when the expiration date is near. Self-issued certificates for early installations of Windows SBS 2003 begin to expire in 2008. After you create a new certificate, you must distribute it to your network client computers and mobile devices.

Creating a self-issued certificate by using the CEICW

When you run the CEICW, the server configures a self-issued certificate. Remote users can securely access your organization’s Web sites when the certificate is installed on their remote computer or device. However, if users try to access your organization’s Web sites without first installing the certificate on their remote computer or device, they receive a certificate warning. The warning advises users that the certificate that is being used to secure the Web site is not trusted, and as a result, the site is not trusted. For the best security, users should not visit your organization’s Web sites until they have installed the self-issued certificate.

To create a self-issued certificate by using the CEICW

  1. Click Start, and then click Server Management. In the console tree, click Internet and E-mail. In the details pane, click Connect to the Internet.

  2. On the Connection Type page, select Do not change connection type, and then click Next.

  3. On the Firewall page, select Do not change firewall configuration, and then click Next.

  4. On the Services Configuration page, ensure that the appropriate network services are selected, and then click Next.

  5. On the Web Services Configuration page, ensure that the appropriate Web services are selected, and then click Next.

  6. On the Web Server Certificate page, select Create a new Web server certificate, type the fully qualified domain name (FQDN) of your server (for example: server.contoso.com), and then click Next.

  7. On the Internet E-mail page, select Do not change Internet e-mail configuration, and then click Next.

  8. On the Completing the Configure E-mail and Internet Connection Wizard page, click Finish.

Requesting a trusted certificate from a CA

To provide users with a better remote access experience, it is recommended that you obtain a trusted certificate from an Internet CA. A CA establishes and verifies the authenticity of your server or other certificate authorities. The CA also verifies the identity of a person or organization that applies for a certificate. When you configure Windows SBS 2003 to use a trusted certificate, it is not necessary for users to install a self-issued certificate on remote computers and devices because these devices and computers already trust the root certificate for the trusted source. A less-expensive trusted certificate is valid, and it performs the same function as a more expensive certificate.

Important

If you purchase a trusted certificate, and if you have devices that run Windows Mobile 6 software, install the root certificate for that trusted certificate in the device certificate store to ensure that the certificate functions properly.

To request a trusted certificate from a CA

  1. Click Start, and then click Server Management.

  2. In the console tree, click Advanced Management, click Internet Information Services, click YourServerName**(local computer)**, and then click the Web Sites folder.

  3. In the details pane, right-click Default Web site, and then click Properties.

  4. On the Default Web Site Properties page, click the Directory Security tab, and under Secure communications, click Server Certificate.

  5. If you have an existing certificate installed on the server, the Modify the Current Certificate Assignment page appears. If the page appears, complete the following steps:

Note

The existing certificate may have been created when you ran the Configure E-Mail and Internet Connection Wizard.

1.  Click **Remove the current certificate**, and then click **Next**.
2.  Click **Next** on the next two wizard pages, and then click **Finish** to complete the wizard and to remove the expiring certificate.
3.  Click **Server Certificate** on the **Directory Security** tab to start the wizard again.
4.  On the **Welcome** page, click **Next**.
  1. On the Server Certificate page of the IIS Certificate Wizard, click Create a new certificate.

  2. On the Delayed or Immediate Request page, prepare a request to send later or immediately (as needed).

  3. On the Name and Security Settings page, in Name, type a name for the new certificate. Next, select the appropriate bit length, based on your organization's requirement.

Note

Verify with the CA that they support certificates of the corresponding encryption method before submitting the certificate request.

  1. On the Organization Information page, in Organizational Name, type the legal name of your organization. In Organizational unit, type the name of your division or department. If your organization does not have a division, you can type the legal name of your organization.

Important

Before you start this procedure, get the exact verification requirements from the CA that you choose. Be sure that you type the proper company name. After you submit the request, the CA verifies the information that you have submitted and the company information. If you apply for the certificate by using a Trade name or a Doing Business As (DBA) name, be prepared to show documentation for that name. Also be sure to update your Dun & Bradstreet (D&B) or other commercial directory information before you submit the certificate request because many CAs use that information for verification.

  1. On the Your Site's Common Name page, type the common name for your site exactly as it appears to the external users, for example: server.contoso.com.

  2. On the Geographic Information page, type the required information. Do not use abbreviations because some CAs do not accept abbreviations.

  3. On the Certificate Request File Name page, type a file name.

Note

By default, the certificate request file is saved as C:\Certreq.txt, but the wizard allows you to specify a different location.

  1. On the Request File Summary Page, click Next.

  2. Click Finish.

  3. Use Notepad to open the request file that you just created, and then copy all of the text that is in the file, including hyphens, into the application form that you are sending to the CA.

Note

Be careful not to change or modify any of the certificate settings on the Web site after you create the certificate request. The steps in this procedure do not work if the pending request is cancelled for any reason. If you cancel the pending request, you must open a new request file and request that the CA reissue the certificate.

Installing trusted certificates on the server

After you obtain a trusted certificate from a CA, you must install the certificate on the server so that it is available to distribute to remote computers and mobile devices.

To install a trusted certificate on the server by using the CEICW

  1. Click Start, and then click Server Management. In the console tree, click Internet and E-mail. In the details pane, click Connect to the Internet.

  2. On the Connection Type page, click Do not change connection type.

  3. On the Firewall page, click Do not change firewall configuration.

  4. On the Web Server Certificate page, click Use a Web server certificate from trusted authority, and then click Browse to locate the certificate.

Note

To install a trusted certificate on the server by using the Configure E-mail and Internet Connection Wizard, you must create a certificate request as described in the preceding section.

  1. Follow the instructions to complete the wizard.

Installing trusted certificates on remote computers and mobile devices

Remote computers and mobile devices that are joined to the Windows SBS 2003 domain receive certificate updates automatically. However, you must manually install the certificate on computers and moblie devices that are not members of the domain. The following procedures explain how to install certificates on remote computers and on devices that run Windows Mobile 6 software.

To install a trusted certificate on a remote computer

  1. From the remote computer, establish a connection to the internal company network. This enables you to access the certificate that you want to install.

  2. Open your Web browser, and then in the address bar type https://servername/remote, where servername is the external name of the computer running Windows SBS 2003 (for example: https:// contoso.com/remote).

    • If the certificate is trusted, a certificate warning does not appear. If a certificate warning does not appear, no further action is required.
    • If the certificate is not trusted, a warning appears. If a certificate warning appears, close the Web browser window and proceed with the next step.
  3. Click Start, click Run, and then type \\servername\clientapps\sbscert\, where servername is the internal name of the server running Windows SBS 2003 (for example: \\contoso-server\clientapps\sbscert\). A Windows Explorer window appears and displays the certificate.

  4. Copy the certificate to the desktop of the remote computer.

  5. On the desktop of the remote computer, double-click the icon for the certificate. The Certificate Import Wizard appears.

  6. Select Place all certificates in the following store, and then click Browse. The Select Certificate Store dialog box appears.

  7. Select Trusted Root Certification Authorities, and then click OK.

Note

In some cases, it may be necessary to select the Show physical stores check box, and then in Trusted Root Certification Authorities, click Local Computer, and then click OK.

  1. Click Finish, and then click Yes to install the certificate.

To install a trusted certificate on devices running Windows Mobile 6

For step-by-step instructions about how to deploy and install the self-issued certificate on devices that run Windows Mobile 6 in a Windows SBS 2003 networking environment, see “Deploying Windows Mobile 6 with Windows Small Business Server 2003” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=108284).