Although proper SSL certificates from providers such as Digicert and Verisign have become much cheaper nowadays there are still many occasions when you might prefer to just use a self signed certificate. One of the most common occurences of this is with SBS server, to provide SSL secured web services such as OWA and RPC over HTTP. However the certificate warning you get everytime you open the web site is annoying and maybe confusing for less experienced users. In older versions of IE you could just install the certificate after viewing it but with the improved security in IE7 and IE8 this no longer works. Whilst putting the URL in your "Trusted Sites" list will let you view and import the certificate you will find it is still not properly trusted. The solution is to provide your users with the correct certificate file to install, but its not obvious where you get this from....

Note that this problem doesn't usually occur if the computer you are using is a domain client, as it then automatically trusts the Domain Controller as a "Trusted Root CA". Its most inconvenient when you are trying to configure Outlook to use RPC over HTTP on a non-domain PC, such as a user's home PC running Vista Home Edition. When you try and connect you will probably see a "the security certificate is not from a trusted certificate authority":

To solve this problem you need to logon onto your CA server (this will usually be your domain controller, or your SBS server) and open the Certificate Authority management console (Start - Admin Tools - Certificate Authority). You should see your server listed here and if you expand "Issued Certificates" you should see the certificates for your web server, but these aren't the ones you want! Instead right-click the server name in the lefthand pane and select "Properties":

In the new window that opens on the "General" tab you should see a root certificate listed - this is the one that identifies your server as a CA - select this and then click "View Certificate". Now you are here check that the "Issued To" and "Issued By" names match the FQDN (public web url) of your server, if you have the internal domain name then you'll have to reconfigure your CA from scratch. Next click the "Details" tab and then the "Copy to File" button. Save it to a suitable location, the default .CER format should do fine, although you may find you need to Zip it up to email it as some mail clients view it as a dangerous extension type.

Now you need to install your new CA certificate on the client computer so log on there and open Internet Explorer. Click the "Tools" menu (press the Alt key to reveal menus if you can't see them) and open "Internet Options", then select the "Content" tab and click "Publishers":

In the next window make sure you have "Trusted Root Certificate Authorities" is selected and click "Import" to start a wizard:

Follow the instructions and browse to where you saved your CA certificate, then make sure it has defaulted to importing into the trusted root authority folder. You should then get a security warning about installing the certificate, say yes and you should now see that your server is in the list of Trusted Root CAs.

Close all your open windows and close IE as well, then reopen IE and browse to your OWA or any other SSL protected site on your server - you should find you no longer get the warning, just the reassuring "trusted" padlock symbol. Now if you try connecting Outlook using RPC over HTTP (Outlook Anywhere) you should find the error message no longer appears.