How to Create Self-Signed Certificates for Successful Encryptions
Updated: April 21, 2010
Applies To: System Center Data Protection Manager 2010
DPM supports two types of certificates to successfully encrypt data at a protection group level: self-signed certificates and certificates imported from a certification authority (CA). You can create a self-signed certificate using makecert.exe.
|You should use a certificate store to securely store your certificates. The .snk files used by this tool store private keys in an unprotected manner. When you create or import a .snk file, you should be careful to secure it during use and remove it when you are done.|
SSL server certificates for Internet Information Services (IIS) are stored in the "Personal" ("My") certificate store of the "computer account" ("localMachine"). The "Certificates" snap-in of the Microsoft Management Console (mmc.exe) must be used to manage these certificates. The certificate management window (accessible from "Internet Properties" / "Content" / "Certificates" or from "Control Panel" / "Users and Passwords" / "Advanced" / "Certificates") cannot be used.
To create a self-signed certificate
See Internet Information Services (IIS) Server Certificate Installation Instructions (http://go.microsoft.com/fwlink/?LinkID=92669).
To import self-signed certificates into DPMBackupStore Using Makecert.exe
Type the following command
Makecert.exe -r -n "CN=MyCertificate" -ss DPMBackupStore -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e <expiry date in mm/dd/yyformat>