Create a Personal Certificate for the local computer account for BEMS
Complete this task on each computer that hosts the
Connectservice. You can create one certificate to be used for all
- On the computer that hostsBEMS, open theMicrosoftManagement Console.
- ClickConsole Root.
- ClickFile > Add/Remove Snap-in.
- In theAvailable snap-inscolumn, clickCertificates. ClickAdd.
- In theCertificates snap-inwizard, selectComputer account. ClickNext.
- On theSelect Computerscreen, selectLocal computer.
- ClickFinish. ClickOK.
- In theMicrosoftManagement Console, expandCertificates (Local Computer).
- Right-clickPersonal, then clickAll Tasks > Request New Certificate.
- In theCertificate Enrollment wizard, clickNext. ClickNextagain.
- Select an appropriate web server template from the available templates.
- ClickDetailsto verify that the Server Authentication is displayed in the Application Policies section.
- In theApplication policiessection, verify thatServer Authenticationis listed. If Server Authentication is not listed, select a different web server template. Contact your CA administrator for more information about templates.
- ClickMore information is required to enroll for this certificate. Click here to configure settings.
- On theSubjecttab, in theSubject namesection, complete the following actions:
- Click theTypedrop-down list. SelectCommon Name.
- In theValuefield, type a valid FQDN such as a trusted application pool name (for example, CN=bemsapppool.example.com) that was recorded in step 3c of Prepare the initial computer hosting BEMS.
- In theAlternative namesection, add two values by completing the following actions:
- Click theTypedrop-down list. SelectDNS.
- In theValuefield, type the FQDN of the trusted application pool (for example, bemsapppool.example.com).
- In theValuefield, type the FQDN of aBEMSinstance that the certificate will be used for (for example, bemsserver01.example.com).
- Repeat steps d and e for eachBEMSinstance that the certificate will be used for (for example, bemsserver02.example.com, bemserver03.example.com, and so forth).
- Optionally, on theGeneraltab, specify a friendly name for the certificate. The name of the template is often the only way to distinguish its purpose and must be unique. This is important when deploying the final name of the issued certificate, which should always match the designated service name. For more information about using friendly names for certificates inConnectandPresence, see "Using friendly names for certificates in BlackBerry Connect" in the Connect configuration content and "Using friendly names for certificates in BlackBerry Presence" in the Presence configuration content.
- Click theGeneraltab.
- In theFriendly namefield, enter a name.
- On thePrivate Keytab, verify that the template allows the certificate to be exported with the private key.
- Click thePrivate Keytab.
- Click theKey optionsdrop-down list. Select theMake private key exportablecheck box.
- Grant the service account read access to the certificate.
- Right-click the certificate, and clickAll Tasks > Manage Private Keys.
- On theSecuritytab, add the service account.
- Export the certificate and the private key, then import the certificate to each of the other computers that host aBEMSinstance. For instructions, see Export the CA-signed certificate and private key from the Microsoft Management Console and Import the CA-signed certificate and private key to additional BEMS instances respectively.