Replacing the SBS self-signed SSL certificate with an 'el cheapo one from GoDaddy
Jeff at ABC Solutions has created a PDF file documeting how to replace the self-signed SSL certificate that the SBS wizard creates for you with a certificate from GoDaddy. Since this involves both IIS and ISA I wanted to call it to your attention. Good job Jeff and nice work on the PDF too. You can download the PFD here.
6 Comments:
Could you elaborate on what the value of this is? Is there functionality which is gained from having a root certificate which cannot be had from the self-signed cert? Not trying to be a butt-head, I just don't understand why this would be a desireable thing to do.
Russel,
It's about trust. A self-signing cert is quite valid, but from an external view, your browser doesn't associate the site as trusted. If you actually connect with IE7, it won't immediately connect... with a huge page warning that you shouldn't connect as the site is unsafe.
From an end users perspective, this is confusing... and leads to potential support issues. For $20, you can remove this entirely.
From an attack surface point of view, expecting an untrusted cert means that it would be quite easy to redirect a connection without you knowing the difference. As long as a invalid cert prompt comes up... the end user will probably accept it... especially if they are used to doing it this way. This means complacency, which is the worst thing for security.
All and all... for $20 you add a level of security assurance that you don't originally have with a self-signing cert. Seems like a good investment to me.
What Dana said. :)
You can mitigate some of what Dana has said by walking your users through installing the certificate. Once installed it won't pop up anymore asking for acceptance. (though I have not tested this with IE 7)
The real reason why SBS comes with a self signed cert are two:
i. They were expensive at the time SBS 2003 was released.
ii. The product team wants SBS to be "simple". They can pre-load a self signed cert, it works and doesn't generate support calls.
A couple of reasons why I did this (as stated in the document):
1. There were users on the Yahoo group that wanted to know how to do this.
2. There was no clear SBS-Styled Documents on how to do it. There are directions at GoDaddy and Microsoft on how to add a 3rd part certificate to ISA networks, but they aren't too clear on the explanation of using it on SBS, as the Swiss Army Server (all in one.) Actually, I like that moniker... Windows SBS 2003: The Swiss Army Server. If no one else thought of it before, it's mine, OK? I digress...
3. I like, for my customers, to have a website that doesn't pop up with a question that takes 10 minutes to answer, when, in an hour, I can take care of that question.
4. As Dana stated, just clicking through security warnings is a security risk. It's like going through a railroad crossing where the lights are blinking, but no train is seen. Pretty soon, that crossing isn't respected, and wham! a train hits your car as you speeds through.
5. I wanted to know how to do it, and I figured the community would benefit.
6. I am starting out my business, and I want people to know about me.
7. GoDaddy is making good things happen in the Hosting and (in this case) the Certificate industry by democratizing the process and making the prices much more affordable. It is our job (as consultants) to point out the plusses and minuses of each product they (we) offer), and let our clients make the choice.
8. This is, foremost, for my business. If I procedurize something, and do it well, I spend 4-6 hours the first time, and 60 minutes the next 400 times. It is clearly in my best interest to document EVERYTHING!!! Plus, I can give this to my employees, and they (I) profit from a tested, well written procedure.
Thank you Amy and Dana for your kind comments on this procedure. However, my biggest thanks go to to Tony Su at Su-Networking.Com for his very cogent, well written, and spot-on critique of the original document in the SBS 2K group. His comments took it from a "C" level document to an "A" level one. I really appreciate his effort and constructive criticism.
Jeff
Jeff,
If it wasn't an A level document I wouldn't have called attention to it. As I said in the original post. Good Job!
I would highly recommend using CEICW to install the certificate and I don't understand why you would create "a dummy website" rather than using the default website. If you start the CEICW wizard and get to the certificate page and click the more information it explains how to create the request and then once you have the certificate downloaded you can just run through the wizard to install the certificate. I have seen twice where I lost access to public folders Exchange System manager when I installed certificates without using CEICW, but had no problems when I installed with CEICW.
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/db926eabc805c871/
Post a Comment
<< Home