How to install a certificate on a Microsoft ISA server ?
** This article assumes that you have already requested and installed a certificate on your Web server.
Computer A – is the web server
Computer B – is the ISA server
To set up ISA Server to host Web sites by using the SSL protocol, you must export the SSL certificate of the Web site with the associated key. If you do not have this key, you cannot use this certificate for SSL with ISA Server.
Export your Entrust SSL Server Certificate from IIS 5.0 performed on server A
Step 1: Performed on server A
The Certificates snap-in utility must be added first.
Snap-In Configuration:
Management Console (MMC) and add the Certificates snap-in:
Click Start, and then click Run.
Type in “MMC” (without the quotation marks) and click OK.
Click Console in the new MMC you created, and then click Add/Remove Snap-in.
In the new window that appears, click Add.
Highlight Certificates, and then click Add.
Choose the Computer account option and click Next.
Select Local Computer on the next screen, and then click Finish.
Click Close, and then click OK.
Step 2: Perform on server A
Exporting your keypair (private and public keys):
From the MMC Console opened in the above steps: Expand the ‘Certificates’ tree in the left preview panel
Expand the ‘Personal’ tree in the left preview panel and highlight ‘Certificates’
Select and Right-click your certificate from the right preview panel
Select All Tasks/ Export – The Certificate Export Wizard appears
Select Next to continue.
Select Yes, to export the private key
Select Next to continue.
Ensure ‘Enable Strong Protection’ is checked, click Next
Supply and confirm a password for your keypair back up.
N.B. It is very important that you remember this password. If you forget it you will not be able to gain access to your Private Key.
Supply a file name and location for your keypair back up. This will create a PFX file.
N.B. Store your PFX keypair backup onto some form of removable media to ensure it is not lost.
Select Next to continue.
Select Finish.
Select OK to complete the Export.
You have successfully backed up your keypair (private and public key).
NOTE: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
Finally, copy the PFX file that you created to ISA Server.
Install the Certificate to ISA – Performed on Computer B (ISA Server)
The Certificates snap-in utility must be installed. See Step 1 for Snap-In Configuration.
From the MMC console opened in the above process:
Expand the ‘Certificates’ tree in the left preview panel
Right-click ‘Personal’
Select All Tasks/Import – The Certificate Import Wizard appears.
Select Next to continue.
Browse to, and Select your PFX keypair file.
Select Next to continue.
Supply the password which was provided during the creation of the PFX keypair file.
N.B. Be sure the ‘Mark the key as exportable’ option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
Select Next to continue.
Select Next to continue.
Select Finish.
Select OK to complete the Import.
You have successfully imported your PFX keypair into the Windows certificate store.
Examine the Intended Purposes field of the certificate. If this field is set to All instead of listing specific purposes, you must perform the following steps before ISA Server can recognize the certificate:
- In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate.
- Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all the items, and then click Apply.
Configure the Certificate in ISA – Performed on Computer B
Open the ISA Manager and complete the SSL installation:
- Right-click the server that is going to accept the incoming connection, and then click Properties.
- Click the Incoming Web Requests tab.
- Click the Internet Protocol (IP) address entry for the site that you are going to host, or the all IP addresses entry if you do not have individual IP addresses set up.
- Click Edit.
- Click to select the Use a server certificate to authenticate to web users check box.
- Click Select.
- Select your previously imported certificate.
- Click OK.
- Click to select the Enable SSL listeners check box.
- Expand the Publishing folder, and then click Web Publishing Rules.
- Double-click the Web publishing rule that will route the SSL traffic.
- On the Bridging tab, locate Redirect SSL requests as, and then select HTTP requests (terminate the secure channel at the proxy).
- Click OK.
- Restart ISA Server.
Thanks
Manish Kumar
ManishMishra's Blog 