Applies To: Windows Small Business Server 2011 Standard
You can use certificates to help protect your network by encrypting the data that is flowing between your network and the Internet. The certificate is used to configure the Secure Sockets Layer (SSL), which helps secure communications between a Web browser and your Web server.
A self-signed certificate is created during installation, and it is renewed when you run the Internet Address Management Wizard and provide the domain name. The domain name is the same domain name that people use to access their email or your internal website.
A root certificate is created by using the internal domain name that you supply during Windows SBS 2011 Standard installation. The root certificate is stored in the certification authority (CA). The CA, by default, uses a Group Policy object (GPO) to distribute the root certificate to all of the client computers that are joined to the domain. The CA does this because the root certificate is not trusted by default.
The root certificate must be distributed to the client computers that access content on the server through an SSL connection. Some of these computers are internal to the domain (also called "domain clients"), and some of them are external (such as home computers).
If a user installs the certificate on a client computer that is not joined to the domain, such as a home computer, it is strongly recommended that they use the certificate installation package. If they use a Web browser to install the certificate, their computer may be vulnerable to an attack. To adhere to best security practices, the user should use a trusted source to install the certificate on their remote computer, such as an external storage device.
Certificates from a commercial certification authority
You can also use a certificate that is signed by a commercial certification authority (CA), also known as a trusted certificate. All of the registrar partners who work with Microsoft sell trusted certificates for installation on Windows SBS 2011 Standard.
The Add a Trusted Certificate Wizard helps you request a trusted certificate from a certification authority, and then install the trusted certificate when you receive it. Some certification authorities make the trusted certificate available immediately, while others validate the information with the user offline before they provide the trusted certificate.