Friday, October 15, 2010

Renew or replace ISA 2006 SSL certificate for CSS in workgroup

Even though ISA 2006 feels old these days, there are still a lot of people running it.  It works, it is stable, and it typically cost money to go to the latest version (TMG or UAG).  Every so often, I run across ISA arrays in a workgroup.  The configuration is slightly different than a domain-based ISA array and requires a little bit more maintenance.

One common issue is renewing (typically replacing) the SSL certificate that the CSS uses in workgroup mode.  The process isn't as straight forward as it should be and I've run into customers that don't even realize that there is an SSL certificate for the CSS (until ISA stops accepting configuration changes or other issues crop up). 

Richard Hicks has a an overview of the process which got me thinking about putting a bit more detail out there (much of this information is available elsewhere, but typically spread across multiple sites). 

First, see Richard's post:
http://tmgblog.richardhicks.com/2009/03/05/isa-server-2006-workgroup-deployment-certificate-renewal/

I added a few comments (awaiting moderation as of right now) earlier this evening.  Basically, a few details that you might find handy:

1.  A lot of people struggle with obtaining the .PFX file.  GoDaddy and others typically offer .CRT files.  You need to complete the SSL install on the original IIS server which will install the certificate (with private key) on the server, then export it from the Certificates MMC (and during the export, you can choose to include the private key which will get you the required .PFX file).

2.  ISACertTool isn't really installed.  It is extracted.  And it is best to extract it to the program directory where ISA is installed (default is C:\Program Files\Microsoft ISA Server).  Otherwise, the tool will complain about a missing .DLL.

3.  To simplify the procedure, copy your .PFX file to the same directory (C:\Program Files\Microsoft ISA Server).  Then, you won't have to specify a path when you use the /st switch.

4.  If you are using a public CA (as is typical with ISA implementations), you won't need to worry about the root CA certificate in most cases (as those will be there by default with  your Windows operating system installation).  Some might argue that you can use an internal certificate (or generate one from an internal CA) but at $17.95 a year, there are benefits to the public CA (centralized management of all ISA certificates, not just external certificates is one example).  I typically opt for the public CA.

Finally... it is important to test and verify... BUT... if your old cert isn't expired, how do you verify now?  The best way I've found is to launch the Certificates MMC, specify the local computer (ISA CSS), then specify a service account (which should be ISASTGCTRL).  The old and new certificate should be listed there (which indicates a successful installation.  Of course, the ISACertTool should give you a success message too.  Then, add a reminder to your calendar for the day after the old cert expires - you can run through additional testing and clean up the old cert (delete from Certificates, etc.).

No comments: