Secure Website Access | Microsoft Small Business Server 2003 Unleashed

The release of SBS 2003 provided a much-needed featureSSL Security Certificates at no additional cost. Well, no monetary cost, anyway. These certificates are self-signed. So although the certificate enables SSL communications on the SBS server (for Outlook Web Access [OWA], Remote Web Workplace, and other services), it is not specifically a trusted certificate. In the Windows world, this is not much of a problem. When you connect to a site using a self-signed certificate, you are presented with a warning indicating that the certificate is not valid, specifically pointing out that it is signed by a nontrusted authority. To get past this, you click Yes and go on.

Not surprisingly, the behavior is a little different in the Macintosh world. Using Microsoft Internet Explorer on the Mac to connect to these same sites results in a hard block. IE generates an error, not a warning, and refuses to continue access to the site. However, Microsoft has discontinued production on IE for the Mac.

Fortunately, there are workarounds. Unfortunately, none of them involve IE for the Mac.

People using Netscape 4.x or 7.x for the Mac are prompted with a similar warning when accessing these sites. Netscape gives you the option to add the security certificate to its own certificate store. This is the only way to work around this problem for Macs running OS 9.

There are also times when access to one of these sites takes place outside the context of the web browser. Mac OS X has its own internal certificate store. The Safari web browser and other services in Mac OS X use this store. It is also used by Entourage 2004 to connect to an Exchange server. You can import these self-signed certificates into the OS store as a trusted certificate, and that allows Safari and other tools that look to the OS store for certificates to communicate securely with the server without generating warnings or errors.

Exporting the SSL Certificate from SBS

The self-signed certificate on SBS is stored in the certificate store, not as a file on the disk. To get the certificate into a format that the Mac can use to add to its own store, the certificate must be exported from the certificate store on the server into a file. Follow these steps to export the self-signed SSL certificate from the server:

1.	Open Internet Information Services (IIS) Manager.
2.	Expand the server and then expand Web Sites.
3.	Right-click Default Web Site, and then click Properties.
4.	Select the Directory Security tab, and then click View Certificate.
5.	Select the Details tab, and then click Copy to File.
6.	In the Certificate Export Wizard, click Next.
7.	On the Export Private Key window, select No, Do Not Export the Private Key, and then click Next.
8.	On the Export File Format window, select DER Encoded Binary X.509 (.CER), and then click Next.
9.	On the File to Export window, browse to a location that you can access from the Macintosh, enter a filename, and then click Next.
10.	Click Finish to complete the wizard.

Importing the SSL Certificate into the Macintosh Certificate Store

After you export the OWA certificate and copy the certificate file to the Mac OS X computer, you can add the certificate as a trusted certificate using either the UNIX interface on the Macintosh or a third-party utility, such as the freeware program CerttoolGUI 0.1. This utility is available at either of the following websites:

http://macupdate.com/info.php/id/10947

http://www.versiontracker.com/dyn/moreinfo/mac/18496

Follow these steps to add the certificate using CerttoolGUI 0.1:

1.	Rename the certificate file to have a .DER extension instead of .CER, and then copy the file to the root of the Macintosh hard disk drive.
2.	Start CerttoolGUI.
3.	Click Add Certificate. The certificate appears in the CerttoolGUI certificate list.
4.	Select the certificate, and then click Import Certificates. The certificate state appears as added.
5.	Close CerttoolGUI. Safari will no longer warn about the certificate.

Follow these steps to add the certificate using the UNIX interface on Mac OS X:

1.	Copy the certificate file to the root of the Macintosh hard disk drive. Do not rename the file.
2.	Open the Terminal application (select Macintosh HD, Applications, Utilities, Terminal).
3.	Type `cd /` and then press Enter.
4.	Type `sudo certtool i certname.cer d k=/System/Library/ Keychains/X509Anchors` and then press Enter, where `certname.cer` is the name of the certificate file.
5.	When prompted, enter the password for the local Macintosh account.
6.	To verify that the certificate was added correctly, type `sudo certtool y k=/System/Library/Keychains/X509Anchors \| grep yourdomain` and then press Enter, where `yourdomain` is the SBS 2003 domain. If the certificate was added correctly, you will see two or more lines starting with Common Name that displays the name of the server.