I'm really not sure where this questions belongs, so please bear with me. I have a newly installed SBS 2008 server. By default, these servers use a self-signed SSL certificate, which has been created with the appropriate server name - mail.domain.com - for external access. This certificate works OK with OWA, but the user always gets a prompt that the certificate is not trusted. I have tried installing it in various certificate stores, without success. It will not install at all in the Trusted Root Certification Authorities store - although the installation process says it was imported, it does not appear on the list. This means that although OWA works even though the error messages appears, I can't get a RDP connection to the server desktop to work. I always get a VBScript error that says I have to install the certificate in order to connect to the desktop. How can I resolve this issue?Deb

you need to publish your Root CA certificate to clients as follows: 1) logon to a domain computer with Enterprise Admins permissions. 2) open CMD console in elevated mode. 3) type: certutil -dspublish RootCA -f c:\certdata\root.cerwhere c:\certdata\root.cer is Root CA certificate location. 4) make sure if command was completed successfully. After a some delay (after next group policy processing) this certificate will appear in computer stores as trusted CA.http://www.sysadmins.lv

I don't think this will resolve my issue. The computers that need to trust this certificate are not on the same domain as the SBS server. They are remote computers that are not domain members and will be connecting to the server through the Remote Web Workplace website using secured RDP.Deb

There are 2 choices: 1) obtain a digital certificate for RDP from trusted commecial CA (such Entrust or startcom). 2) instruct all your remote clients to install your Root CA certificate to Trusted Root CAs container in *Computer* store. To achieve this, they will have to open blank MMC console, add Certificates snap-in that is focused on Computer account. And add your certificate to Trusted Root CAs container. Or they can run certutil command: certutil -addstore root path\root.cerhttp://www.sysadmins.lv

Tried your #2 solution but this does not seem to work as anticipated. I was able to import the certificate into the Trusted Root CAs container, and it shows in the Certificates MMC snap-in. But it still doesn't show in the list of Trusted Root CAs in the properties of IE, and I am still getting the prompt in IE that there is a problem with the website's certificate. This is very puzzling, as I have another standard Windows 2008 TS with a self-signed certificate and I had no problem adding that certificate on my test machine. However, that is using a standard RDP client rather than the SBS Remote Web Workplace. BTW, I also tried installing the certificate using the SBS 2008-supplied InstallCertificate.exe application, and that didn't work either.Deb

It is not clear from the thread if you are attempting to use the Root CA certificate or a separate Server Authentication certificate. I believe you must request a Web Server template (or equivalent) based certificate and set IIS to use that certificate for the Remote Desktop site. The Root CA must still be in the Trusted Root CA Store for User and Computer.

> I am still getting the prompt in IE that there is a problem with the website's certificate can you show exact error message?http://www.sysadmins.lv

OK - I gave up on the self-signed certificate because it was just taking too much time to deal with the problems. I purchased a Godaddy certificate (if anyone is interested they are having a sale - $12.99/year for up to 3 years!). This seems to work fine, except for one thing. I get a warning message just before the remote desktop connection that states that there is a different certificate name. This is an SBS thing I think - it is saying that the certificate is issued to servername.domain.com, instead of mail.domain.com. The "servername" the error refers to is the internal server name, not the external, public host name (which is "mail") that the Godaddy certificate is issued to use. I can get past this error and connect to the desktop, but it's annoying. Do you have any idea why this is happening and how I can get rid of this certificate? I would know how to do this in IIS6, but I'm not familiar with the IIS7 interface, and I can't figure out how to disable this other certificate in terms of the RWW connection. I can see the certificate in the Certificates snap-in, and it is enabled for "Client Authentication," but I'm not sure what will happen if I just delete it or disable it - maybe it is being used for internal security in some way.Deb

you must obtain a certificate that is issued to your server *connection* name. It is not required that certificate need to be issued to server FQDN. For example, your clients connects to the server just typing "mycoolserver.somedomain.com". The certificate must be issued to "mycoolserver.somedomain.com". There are 2 ways: 1) purchase a new certificate with correct Subject name 2) configure your DNS (that are authoritative for your zone). You can create a CNAME (simple alias) with the name that is specified in certificate Subject and that will point to your web server.http://www.sysadmins.lv

You have misunderstood my post. The certificate name is correct - mail.domain.com - which matches the public host and MX record for this server. There is no problem connecting to the main website page. The error appears only when you try to connect to a specific internal computer using the RDP portion of Remote Web Workplace. The message that is coming up is for server.domain.com, which is the internal name of the server.Deb

Lemme guess this is an annoying yellow warning that you get when you connect to a workstation? To be clear you've already installed the self signed cert bundle on the workstation (even though I prefer a third party cert) so you can remotely connect, you just want to get rid of that annoying yellow warning? If so you can't. I bugged that in both SBS 2003 and 8 and it's the way the remote access and TS gateway is handling the IIS web site. Best you can do is instruct people to ignore it. If that's not what you are talking about, post back.

Did you get this figured out? I am having the same issue where my imported third party cert works for OWA/RWW but not for RDP. I even attempted to import the cert to the "remote desktop" certificates with no luck. I also notice that even after importing the cert as a "private" cert that it does not show in the "add a trusted certificate" wizard in the SBS console. Thanks.

I had the same problem. All I did was to copy the Certificate installation pack found under Windows SBS Console – Connectivity and in Task open Certificate Installation Package. Install it this way and not the right click on the website and install certificate way. Hope this helps.

Would it be possible to get a wildcard certificate issued to *.domain.com? Specifically: if you request a certificate issued to "*.domain.com", then it will be valid for SSL connections to both mail.domain.com and server.domain.com. Reference: http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Thanks, John

Is John's idea a suggestion or a solution. It sounds great. Can anyone confirm whether this is possible? Stuart

Please see the reference linked in the post: http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Thanks, John

Also see: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true

I am having the same problem as Deb and I don't think the solution has been posted here. The problem I think she is having is the same as mine. I setup quite a few SBS 2008 boxes for my clients. I always purcahse a third party server certificate for them. The DNS points remote.customername.com and the certificate matches that name. I install the certificate using the SBS console and it binds properly to the RWW websit and OWA websites and show the correct certificate. When I login from a client with https://remote.customername.com and connect to RWW it works fine, no certificate errors. The problem occurs when your use remote desktop connection from a client computer on the internet. When it connects it states that the certificate is not trusted. The reason it is not trusted is because if you view the certificate it shows the self signed certificate called servername.customername.local. So I believe in her cause and mine the problem is that the Public Trusted certificate is not installed for REMOTE DESKTOP CONNECTION. Can anyone else help. Thanks, Steve

Hi Steve, Thanks for the detailed explanation. Can you try the following and let me know what you find? 1. On your server, open the “TS Gateway Manager” 2. Right click on the local server and select “Properties” 3. Select the “SSL Certificate” tab 4. What is listed under “Issued to” and “Issued by”? 5. If the public certificate is not being used, can you switch to it from “Browse Certificates…” under “Select an existing certificate for SSL encryption”? 6. If so, restart web services and try to make a remote connection from a client and follow up with results. Thanks, John

I have a similar problem with 2008 Enterprise Server SP1. I didn't want to post a separate question when it sounds like what I am seeing. I originally used a self-signed certificate for TS Gateway. I then installed TS Web with the self-signed certificate. Now to get rid of the warning message, I purchased an SSL certificate from GoDaddy with the external name. I was able to get it installed per their directions in TS Gateway, IIS, and TS RemoteApp Manager. I deleted the other self-signed certificate (the one with the internal name), but when I connect through TS Web, it says it doesn't trust the signer and when I check the certificate store, there is a new self-signed certificate sitting under Remote Desktop. I can delete it and it gets recreated each time I try to connect via TS Web. Thanks, -- Dave

Is there something special in DNS that needs to be set in order for Remote Desktop (using that term since that is the name in the certificate store) recognizes the machines external name as valid? I don't understand why it would substitute an internal named self-signed certificate. Any ideas?

I created an ssl cert for remote desktop, selected remotedesktop in the cert, imported the cert. on the client when they login for the first time (and subsequent if not installed into trusted root) to have them click on 'Install Certificate'. This brings up a box, do not select the default, you must choose to save to an alternate area. in that drop down (on the client computer) choose 'Trusted Root Folder'. Then have them logout. They can log back in and the error is not there.Mibble

Thought you might know the actual answer for installing/distributing the sbs 2008 self-signed cert. It can be found at: http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx As described in the blog, you can't broswe to OWA site and click the cert and install it - it simply won't work this way. You now must use a package created when you run the 'Configure my Internet Address' wizard. Slighltly more onerous but no need for a trusted CA cert.

To all, I wild card SSL won't actually work well. Best practice for a SSL certificate on a SBS 2008 is to get a UCC SSL cert. The best way to install would be throught the sbsconsole as they create all the names needed on the UCC. I normally add autodiscover.mydomain.com. The UCC should have the following mydomain.com remote.mydomain.com Server.domain.local autodiscover.mydomain.com (make sure DNS is pointing to your server) I happen to be running into difficulties with SBS 2011 where I am getting an unsupported CA even though the SSL certificate (UCC) is installed. I even removed all self signed certificates. I tried installing it 3 ways, IIS7, Exchange 2010, and SBS console. but I still get the same error. I will advise when I get an aswer.

All I have never had a problem with a self-signed Cert from SBS2008 for RWW/OWA, except for mobile devices, when you do need the installer package as indicated by scottlano, normally the Installer works perfectly on all PCs incl Win 7 and Win 8 both using IE9, but if that is still not enough to clear the warning, add the leaf certificate to the Local PC account To get the self cert recognised by a client PC, go to Start>Programs>Internet Explorer, right click IE (not64bit) and run as admin. Then browse to the https://remote.mydomain.com and wait for the warning. Ignore the warning and go to the site. 1) add the remote https:// site to Trusted Sites in IE Options on the Security tab 2) Click the certificate warning in the address bar of the browser and view the certificate and click Install Certificate. 3) Follow the wizard but select the Place All certificates in Store option, select show all stores and install first to the Trusted Root Certificates Authority to the Local Computer store, click all the way through to success install. Although you seem to be able to do this outside of run as admin mode, it won't work unless you ran IE as admin in first instance 4) Repeat 3) and place in the Intermediate Certificate Authority store 5) reboot and test I hope that helps this works for me with XP, Vista and Win 7 and now Win 8. I havent done this with Group Policy but there is a way of attaching the cert to by importing via GP and attaching to an OU. But then I only ever seem to need to do it for a few users, so a Standard Operating Procedure seems to cover it!