If you want to enable anywhere access on the windows server 2012 Microsoft gives you several options to do so. Microsoft even provides the creation of a domain in ...remoteacces.com with a valid certificate.
In my case I wanted to reuse my existing dyndns domain and I don't want to buy a certificate. The only persons that access the website is me and my family, what means that it is ok to install a self signed domain certificate or a CA certificate on all ouf our machines / browsers.
OpenSSLThe first answer one can find on the internet, if you want to create your own certificates is "use openssl". There are a lot of howtos, with completely different targets what to achive and it is quite difficult to find out, what applies to my case and what not. E.g. it is possible with openssl to create a certificate without having a valid root authority (CA) (e.g.
http://www.faqforge.com/windows/use-openssl-on-windows/). The anywhereaccess wizard will not accept these kind of certificates. From what I understand you will need to setup, publish and maintain a CA certificate (e.g. see
http://www.werthmoeller.de/doc/microhowtos/openssl/) and the create a domain certificate that is valid against the CA. To support the CA certificate you will need to setup a lot of complicated infrastructure, for example to revoke invalid certificates. On this point I gave up with OpenSSL.
Domain CertificateFortunately Microsoft already did that CA task with their own toolset! Your Windows Server already has a CA-infrastructure (certserv). You can administrate the certificate infrastructure with the certserv mmc. If you type "certserv" in the start menus search box the tool will open. Around this core tool there are other programs that utilize this infrastructure, like the IIS.
To create the self signed domain certificate you will need the IIS-Manager:
1. Open the Internetinformationservices (IIS)-Manager.
2. Select your server
3. From the start page select "Servercertificates"
4. In actions select "Create domaincertificate"
5. In the first field (CN) enter your (dyndns) domain.
6. Save the certificate with a reasonable name
Now we have a self signed domain certificate which is trusted by our server. Our server trusts this certificate, but no one else in the world.
7. Now export the certificate to make it available to the anywhereaccess wizard. Select it in the "servercertificates" list and click "Export..." in the action bar. Don't use an empty password, when exporting it. The wizard will not accept that.
If you have a valid (dyndns) domain, you now have everything you need for anywhereaccess wizard.
Anywhereaccess Wizard8. Click through the wizard, enter the domainname that you entered when creating the certificate. The wizard tests if the domainname can be resolved via dns.
9. Select manual domain setup. Select an empty domain prefix and "use an exisiting ssl-certificate".
10. Now select the exported certificate an enter the password that you used when exporting it.
Serverside done. Now the clients.
Internet ExplorerFor the Internet Explorer this is easy, for all clients that are already connected to the server. The CA is already known. To prove that:
1. Start the Internet Explorer
2. Select "Internet Options", "Content", "Certificates", "Intermediate CA"
3. You should find your server as a certification authority here.
This means that the certificate that is used by our domain, can be validated against this certification authority.
To make it available in other browsers like Firefox you have the option to export it from the Internet Explorer or use the CertEnroll Share on your server.
Variant a) Export from IE
i) Select the certificate of your server in the Internet Explorer dialog we have just opened and push the "Export" button.
ii) Click through the wizard and save the cer-certificate (e.g. on a network share).
Variant b) Use CertEnroll-Share
Firefox6. Open the Options-Dialog
7. Select "Advanced", "Encyption", "View Certificates", "Servers"
8. Select "Import" and import the certificate from the CertEnroll-Share or that we have exported from the Internet Explorer. Note that imported certificates are not trusted by default. So we have to decide, if we trust the certificate, which we obviously can here.
9. Select the imported certificate and press "Edit Trust..."
10. Select "Trust the authenticity of this certificate"
11. "Edit CA Trust" > Check at least "This certificate can identify websites".
Firefox will now validate certificates against our windows server CA. To prove that this works enter the webaddress of your dyndns domain in Firefox. Firefox shall now validate our domain certificate agaist the certificate of our server. The must not be a warning.
NotesNote that you can now revoke or create certificates with the certsrv tool, without touching the clients / browsers anymore, because the clients / browsers trust the CA of our server.
You should be able to use https outside via
https://<myfullyquallifieddnsname> or in the intranet via
https://<myservername> at the same time.
BackupIt is important to have a good image based server backup. In the case the server disk dies, all keys and certificates are lost and cannot be recreated. The certsrv mmc plugin on the server has a function to export the private keys used for encryption. If you cannot rebuild your server, e.g. because you cannot get the appropriate hardware anymore it is good to have that information backed up.
I am by no means a security expert. This is just what I found out by googeling around. I wanted to put these lines down, because I did not find any similar howtos. All kinds of comments are appreciated. Especially if you think that I understand something wrong, please let me know.