How to Create Self-Signed Certificates for Successful Encryptions
Applies To: System Center Data Protection Manager 2010
DPM supports two types of certificates to successfully encrypt data at a protection group level: self-signed certificates and certificates imported from a certification authority (CA). You can create a self-signed certificate using makecert.exe.
You should use a certificate store to securely store your certificates. The .snk files used by this tool store private keys in an unprotected manner. When you create or import a .snk file, you should be careful to secure it during use and remove it when you are done.
SSL server certificates for Internet Information Services (IIS) are stored in the "Personal" ("My") certificate store of the "computer account" ("localMachine"). The "Certificates" snap-in of the Microsoft Management Console (mmc.exe) must be used to manage these certificates. The certificate management window (accessible from "Internet Properties" / "Content" / "Certificates" or from "Control Panel" / "Users and Passwords" / "Advanced" / "Certificates") cannot be used.
To create a self-signed certificate
- See Internet Information Services (IIS) Server Certificate Installation Instructions (http://go.microsoft.com/fwlink/?LinkID=92669).
To import self-signed certificates into DPMBackupStore Using Makecert.exe
Type the following command
Makecert.exe -r -n "CN=MyCertificate" -ss DPMBackupStore -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e <expiry date in mm/dd/yyformat>