DPM supports two types of certificates to successfully encrypt data at a protection group level: self-signed certificates and certificates imported from a certification authority (CA). You can create a self-signed certificate using makecert.exe.

You should use a certificate store to securely store your certificates. The .snk files used by this tool store private keys in an unprotected manner. When you create or import a .snk file, you should be careful to secure it during use and remove it when you are done.

SSL server certificates for Internet Information Services (IIS) are stored in the "Personal" ("My") certificate store of the "computer account" ("localMachine"). The "Certificates" snap-in of the Microsoft Management Console (mmc.exe) must be used to manage these certificates. The certificate management window (accessible from "Internet Properties" / "Content" / "Certificates" or from "Control Panel" / "Users and Passwords" / "Advanced" / "Certificates") cannot be used.

To create a self-signed certificate

To import self-signed certificates into DPMBackupStore Using Makecert.exe

  • Type the following command

    Makecert.exe -r -n "CN=MyCertificate" -ss DPMBackupStore -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e <expiry date in mm/dd/yyformat>

See Also