How to Install a new Certificate on ISA 2004

Thursday, January 15, 2009

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:

-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----

You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

  • Click Start > Run and enter MMC
  • Click File > Add/Remove Snap-in and add the Certificates snap-in
  • Select Computer account > Next > Finish > OK
  • Now your should see Certificates MMC for the local computer, as shown here:
  • Expand Certificates (Local Computer) > Personal
  • Right-click Personal and select All Tasks > Import
  • Browse to the C:\Webmail.cer file you saved earlier
  • Click Next to store it in the Personal store and Finish to complete the import
  • Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

  • Open IIS Manager and navigate to the Default Web Site that uses SSL
  • In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
  • In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

  • Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
  • Select the certificate you imported
  • Right-click the certificate and select All Tasks > Export
  • Click Next and choose Yes, export the private key
  • Click Next twice and enter a password for the exported file.
  • Complete the wizard, saving the PFX file in a temporary location
  • Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

  • On the ISA server, double-click the PFX file you exported
  • Follow the Certificate Import Wizard and place the file in the computer's Personal store
  • Now open the ISA Server Management Console
  • Select the Firewall Policy
  • Click the Toolbox tab on the right and expand Web Listeners
  • Double-click the web listener you want to update to edit it
  • Click the Preferences tab and click Select
  • Select the new certificate and close the listener properties
  • Apply the ISA changes

Finally, you're done!!!

3 comments:

  1. Excellent site, keep up the good work. I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I’m glad I found your blog. Thanks
    ==========
    Compare ISA

    ReplyDelete
  2. Great site, It is useful to me.Thank you.
    ------------------
    Personal ISA

    ReplyDelete
  3. We use a wildcard certificate on our ISA 2004 server. This one expired this week and we could not renew it so we had to replace it. I exported the new certificate from our webserver where we made the new certificate request.

    I have imported this new certificate in our ISA server following the procedure as described in your article. I modified the web listener pointing it to the new certificate. After applying the changes i removed the old (expired) certificate. I also rebooted the ISA server.

    When going to the OWA page I see the warming that there is a problemen with the certificate, looking at the details I see it's using the old (expired) certificate...

    Any clues what is going on??

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.