Solved

Updating a wildcard certificate on TMG

Posted on 2012-03-20
5
2,996 Views
Last Modified: 2012-03-25
We have one TMG server, which has a wildcard certificate installed; this is the main certificate for all our SSL services and used by the following web listeners:
1. Exchange Forms Based Authentication
2. Exchange integrated
3. SSTP VPN and
4. SharePoint Forms Based Authentication

The certificate will expire in a couple of months.

This is my understanding on how to replace an existing with a new one on TMG:
* Buy a new certificate
* Import the certificate into the server IIS and export it to a PFX file??
* Replace the old certificate on each listener with the new certificate.


A few questions:
1. To renew a certificate, does the old certificate always have to be replaced by a new certificate or is there a way to update the existing certificate with a new date?
2. Does the certificate automatically appear in TMG Listener>Properties>Certificates once it has been imported in IIS or does it need to be added to the Local Certificate store>Personal folder?
3. Is it necessary for me to create a PFX file at all? What's the purpose of a PFX file in the context of renewing certificates?
4. Are there any internal servers that I need to update the certificate on? As far as I can tell, TMG bridges the connection between internal servers and itself i.e. issues it's own internal certificate to encrypt all internal LAN traffic.

Thanks
0
Comment
Question by:mark-199
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743204
1. gets replaced once it has been renewed via the new cert request.
2. No - and that is not where it goes either.
You import to the IIS - or whatever system you generated the CSR from. You then export this certificate including the private key. You then import the export file to the TMG cert store machine account, personal certs (remember to also import any intermediate certs your supplier may have provided). This can sometimes create a .pfx file but depends on options chosen during the request etc.
3. In TMG, you will need to edit any listeners that have used the existing certificate and replace it with the new certificate.
4. Only you can know this but the reasoning will be the same as in point 3... any server that has the old cert will need updating.
0
 

Author Comment

by:mark-199
ID: 37747342
Thanks

I will try this next week on our test system first.
One other question: what's the diference between a cheap "non-brand" SSL certificate and a "trusted brand" SSL certificate? Is the latter classed as a business certificate? If so why- what are the extra features and benefits of a "trusted brand" certificate?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37747377
Not really.

The true major players are already included in the top level certificate chains and these are provided as part of the OS deployment - you can see those I mean such as Verisign if you looked in the Certifcates mmc snap-in.

The cheaper ones - godaddy for instance - are not included and they provide intermediate certificates that also need to be installed. Certificate revocation lists are not so easily managed by the cheaper options but, that said, as lonf as you know what you are doing the cheaper options are quite good on the whole.
0
 

Author Closing Comment

by:mark-199
ID: 37756640
Thanks for your informative answers. I think I now have enough information to do this in June. If there are any other issues, I will post it again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37757026
No problem - we are always here :)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now