Difference between revisions of "Deploying a Self-signed SSL Certificate"

[unchecked revision][unchecked revision]
Line 26: Line 26:
 
* If necessary, replace all additional server certificates with the new certificate. To do so, click on the button next to the ''Server Certificate'' field and select ''Select from Certificate Store...''
 
* If necessary, replace all additional server certificates with the new certificate. To do so, click on the button next to the ''Server Certificate'' field and select ''Select from Certificate Store...''
  
== Verteilen des selbstsigniertes Zertifikats ==
+
== Deploying a Self-Signed Certificate ==
  
Bevor das selbstsignierte Zertifikat verteilt werden kann, muss es wie im Folgenden beschrieben, aus dem bisherigen Zertifikatspeicher exportiert werden:
+
Before the self-signed certificate can be deployed, it must be exported from the current certificate store. Please proceed as follows:
  
* Öffnen Sie die MailStore Server Dienst-Konfiguration.
+
* Open the MailStore Server Service Configuration.
* Klicken Sie auf ''IP-Adressen und Ports''.
+
* Click on ''IP-Adressen and Ports''.
* Klicken Sie auf das Zertifikat.
+
* Click on the certificate.
* Öffnen Sie die Registerkarte ''Details''.
+
* Open the ''Details'' tab.
* Klicken Sie nun auf ''In Datei kopieren''.
+
* Click on ''Copy to File''.
* Folgen Sie den Anweisungen des Zertifikatexports-Assistenten um das Zertifikat '''ohne''' den privaten Schlüssel im DER-codierten Format in einer Datei zu exportieren.
+
* Follow the instructions of the certificate export wizard to export the certificate ''without'' the private key in DER encoded format into a file.  
  
Nachdem Sie das Zertifikat erfolgreich in eine Datei exportiert haben, erstellen Sie wie unter [[MailStore Client Deployment]] bzw. [[MailStore Outlook Add-In Deployment]] beschrieben eine Gruppenrichtlinie und passen Sie diese zum Verteilen des Zertifikats wie folgt an:
+
Once the certificate has been exported to a file, create a group policy as described in chapters [[MailStore Client Deployment]] or [[MailStore Outlook Add-In Deployment]] and to deploy the certificate customize it as follows:
  
* Öffnen Sie das Gruppenrichtlinienobjekt mit Hilfe der Gruppenrichtlinien-Verwaltungskonsole Ihres Windows-Servers.
+
* Open the group policy object using the ''Group Policy Management Editor'' of your Windows server.
* Öffnen Sie den Zweig ''Computerkonfiguration'' > ''Richtlinien'' > ''Windows-Einstellungen'' > ''Sicherheitseinstellungen'' > ''Richtlinie für öffentliche Schlüssel''.
+
* Expand the ''Computer Configuration'' > ''Policies'' > ''Windows Settings'' > ''Security Settings'' > ''Public Key Policies''.
* Klicken Sie mit der rechten Maustaste auf ''Vertrauenswürdige Stammzertifizierungsstellen'' und wählen Sie ''Importieren...''.
+
* Right-click on ''Trusted Root Certification Authorities'' and select ''Import...''.
* Folgen Sie den Anweisungen des Zertifikatimport-Assistenten um das Zertifikat aus der Datei zu importieren.
+
* Follow the instructions of the certificate import wizard to import the certificate from the file.
* Öffnen Sie unter ''Richtlinie für öffentliche Schlüssel'' die Eigenschaften des ''Zertifikatdienstclient - Automatische Registrierung''  
+
* Under ''Public Key Policies'' open the properties of the ''Certificate Services Client - Auto-Enrollment''  
 
*: [[File:Deploy_selfsigned_01.png|center|550px]]
 
*: [[File:Deploy_selfsigned_01.png|center|550px]]
* Ändern Sie das ''Konfigurationsmodell'' auf ''Aktiviert'' und klicken Sie auf ''OK''.
+
* Change the ''Configuration Model'' to ''Enabled'' and click on ''OK''.
* Öffnen Sie unter ''Richtlinie für öffentliche Schlüssel'' die Eigenschaften der ''Einstellungen für die Überprüfung des Zertifikatpfades''
+
* Under ''Public Key Policies'' open the properties of the ''Certificate Path Validation Settings''.
 
*: [[File:Deploy_selfsigned_02.png|center|550px]]
 
*: [[File:Deploy_selfsigned_02.png|center|550px]]
* Setzen Sie das Häkchen bei ''Diese Richtlinieneinstellungen definieren'' und klicken und klicken Sie auf ''OK''.
+
* Place a checkmark next to ''Define these policy settings'' and click ''OK''.
 
 
Die Gruppenrichtlinie wird beim nächsten Starten der Arbeitsstationen aktiv.
 
 
 
 
 
  
 +
The group policy will be enabled once the workstation is restarted.
  
  
 
[[de:Verteilung_eines_selbstsignierten_SSL-Zertifikats]]
 
[[de:Verteilung_eines_selbstsignierten_SSL-Zertifikats]]

Revision as of 16:08, 22 June 2012

Background

During the installation of MailStore Server, an SSL certificate is generated which is used by all MailStore components if an encrypted connection is to be established. Because the certificate is issued to the server name MailStoreServer and does not originate from a trusted certification authority (CA), is not trusted by the client side.

350px|center

Because of this, the following warning message appears when calling up MailStore Web Access via HTTPS (SSL):

550px|center

This article describes the option to deploy self-signed certificates using a group policy. An alternative is to use officially signed SSL certificates issued by your own company CA or a public certificate provider, such as VeriSign or eTrust, which is described in chapter Using Your Own SSL Certificate.

To configure MailStore Server and your clients for using a self-signed certificate, please proceed as described in the following.

Creating a Self-Signed Certificate

The self-signed certificate created during the installation of MailStore Server is issued by the server name MailStoreServer.

If the DNS host name of the server does not correspond to MailStoreServer and if no corresponding A- or CNAME record exists on the DNS server, first a new self-signed certificate with the appropriate host name must be created. Please proceed as follows:

  • Open the MailStore Server Service Configuration.
  • Click on IP Addresses and Ports.
  • Click on the button next to the field Server Certificate and select Create Self-Signed Certificate...
    Deploy selfsigned 00.png
  • As name for the new certificate, enter the server name at which the MailStore server can be reached, e.g. mailstore.mydomain.local, and click on OK.
  • If necessary, replace all additional server certificates with the new certificate. To do so, click on the button next to the Server Certificate field and select Select from Certificate Store...

Deploying a Self-Signed Certificate

Before the self-signed certificate can be deployed, it must be exported from the current certificate store. Please proceed as follows:

  • Open the MailStore Server Service Configuration.
  • Click on IP-Adressen and Ports.
  • Click on the certificate.
  • Open the Details tab.
  • Click on Copy to File.
  • Follow the instructions of the certificate export wizard to export the certificate without the private key in DER encoded format into a file.

Once the certificate has been exported to a file, create a group policy as described in chapters MailStore Client Deployment or MailStore Outlook Add-In Deployment and to deploy the certificate customize it as follows:

  • Open the group policy object using the Group Policy Management Editor of your Windows server.
  • Expand the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  • Right-click on Trusted Root Certification Authorities and select Import....
  • Follow the instructions of the certificate import wizard to import the certificate from the file.
  • Under Public Key Policies open the properties of the Certificate Services Client - Auto-Enrollment
    Deploy selfsigned 01.png
  • Change the Configuration Model to Enabled and click on OK.
  • Under Public Key Policies open the properties of the Certificate Path Validation Settings.
    Deploy selfsigned 02.png
  • Place a checkmark next to Define these policy settings and click OK.

The group policy will be enabled once the workstation is restarted.

Retrieved from "https://gcp-dev-help.mailstore.com/en/server/index.php?title=Deploying_a_Self-signed_SSL_Certificate&oldid=3599"