ISA 2000 - Certificate Installation
Immediately after being issued, your SSL certificate will be sent to you by email. It is also possible to download the certificate from the Control Panel. The file containing the certificate will have the same name as the domain name it is meant for (for example: www_sslcertificaten_nl.crt).
See also: http://support.microsoft.com/default.aspx?scid=kb;US;292569. We assume the certificate is already installed on the IIS server, as per the SSL certificate installation in Microsoft IIS manual.
Export Certificate and Private Key from IIS
- In IIS, start the MMC through Start → Run → type mmc.
- Go to the Console Tab → File → Add/Remove Snap-in.
- Choose Computer Account.
- Choose Local Computer.
- Close the Add Standalone Snap-in window.
- Click Ok in the Add/Remove Snap-in window.
- Open the Certificates Console Tree.
- Find the folder named Personal → Certificates.
- Select the certificate you want to back-up.
- Right-click the file and click All Tasks → Export.
- The Certificate Export Wizard will start. Click Ok.
- Choose export the private key and click Next.
- Keep the default settings and click Next.
- Choose a password to secure the backup and click Next.
- Save the file in a secure location. The backup has a .pfx extension.
- Click Finish.
- You will get a message stating The export was successful when the export is finished. Click Ok.
Import Certificate and Private Key on ISA server
- Copy the pfx file to the ISA server
- On the ISA server, open the MMC
- Go to Add the Certificate snap-in as previously explained.
- Click the Personal folder.
- Right/click All Tasks.
- Click Import.
- Click Next in the Import Wizard.
- Select the pfx file (which you have just copied to the ISA server).
- Enter the password that you specified when exporting the pfx file.
- Check the option Mark the private key as exportable.
- Set the import setting to Automatically and click Finish.
Install Root and Intermediate Certificates
- Open the MMC on the ISA server
- Click File and select Add/Remove Snap in.
- Select Add and select Certificates in the Add Standalone Snap-in box and click on Add.
- Select Computer Account and click Finish.
- Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap in.
- Go back to the MMC
- Right-click Trusted Root Certification Authorities, select All Tasks and select Import.
- Click Next.
- Select the Root Certificate and click Next.
- Click Finish after the Wizard is finished.
- Right-click Intermediate Certification Authorities, select All Tasks and select Import.
- Select the Intermediate CA Certificates.
- Make sure the Root Certificate is under Trusted Root Certification Authorities and the Intermediate CA Certificate is under Intermediate Certification Authorities.
- Restart the server to finish the installation.
Recognize your certificate by ISA
- If there is a sub folder Certificates in the Personal folder, click Certificates and verify that a certificate is present with the name of the Web server.
- Right-click the certificate and click Properties.
- If the Intended Purposes field in the certificate is set to All and not to a list of specific purposes, the following steps must be followed to ensure the ISA server recognizes the certificate:
- In the Certificate Services snap-in, open the Properties of the relevant Certificate.
- Change the Enable all purposes option to Enable only the following purposes.
- Select All Items and then click Apply.
Finalize the installation of the SSL certificate
- Open the ISA Manager.
- Right-click the server that handles the incoming connections and click Properties.
- Click the Incoming Web Requests tab.
- Select the Internet Protocol (IP) for the site you will be hosting, or choose all IP addresses if the individual IP-adresses are not configured.
- Click Edit.
- Click Use a server certificate to authenticate to web users option.
- Click Select.
- Select the certificate you just imported.
- Click OK.
- Check the Enable SSL listeners option.
- Select Web Publishing Rules in the Publishing scroll menu.
- Double-click the Web Publishing Rule that routes your SSL traffic.
- On the Bridging tab, choose the Redirect SSL requests as: 'HTTP requests (terminate the secure channel at the proxy) option and click OK.
- Restart the ISA server. Make sure to restart the entire server; don't just do a service restart.
All necessary steps to install your web server certificate have now been completed. Please make sure to adequately secure your certificate files, and to store a backup of your private key and web server certificate in a safe location. You should also install the root and intermediate certificates. Check whether the certificate is correctly installed with the SSLCheck and ensure an optimal configuration with these tips and settings.
Please do not hesitate to contact us if you encounter problems or error messages.