Solved

Updating a wildcard certificate on TMG

Posted on 2012-03-20
5
3,030 Views
Last Modified: 2012-03-25
We have one TMG server, which has a wildcard certificate installed; this is the main certificate for all our SSL services and used by the following web listeners:
1. Exchange Forms Based Authentication
2. Exchange integrated
3. SSTP VPN and
4. SharePoint Forms Based Authentication

The certificate will expire in a couple of months.

This is my understanding on how to replace an existing with a new one on TMG:
* Buy a new certificate
* Import the certificate into the server IIS and export it to a PFX file??
* Replace the old certificate on each listener with the new certificate.


A few questions:
1. To renew a certificate, does the old certificate always have to be replaced by a new certificate or is there a way to update the existing certificate with a new date?
2. Does the certificate automatically appear in TMG Listener>Properties>Certificates once it has been imported in IIS or does it need to be added to the Local Certificate store>Personal folder?
3. Is it necessary for me to create a PFX file at all? What's the purpose of a PFX file in the context of renewing certificates?
4. Are there any internal servers that I need to update the certificate on? As far as I can tell, TMG bridges the connection between internal servers and itself i.e. issues it's own internal certificate to encrypt all internal LAN traffic.

Thanks
0
Comment
Question by:mark-199
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743204
1. gets replaced once it has been renewed via the new cert request.
2. No - and that is not where it goes either.
You import to the IIS - or whatever system you generated the CSR from. You then export this certificate including the private key. You then import the export file to the TMG cert store machine account, personal certs (remember to also import any intermediate certs your supplier may have provided). This can sometimes create a .pfx file but depends on options chosen during the request etc.
3. In TMG, you will need to edit any listeners that have used the existing certificate and replace it with the new certificate.
4. Only you can know this but the reasoning will be the same as in point 3... any server that has the old cert will need updating.
0
 

Author Comment

by:mark-199
ID: 37747342
Thanks

I will try this next week on our test system first.
One other question: what's the diference between a cheap "non-brand" SSL certificate and a "trusted brand" SSL certificate? Is the latter classed as a business certificate? If so why- what are the extra features and benefits of a "trusted brand" certificate?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37747377
Not really.

The true major players are already included in the top level certificate chains and these are provided as part of the OS deployment - you can see those I mean such as Verisign if you looked in the Certifcates mmc snap-in.

The cheaper ones - godaddy for instance - are not included and they provide intermediate certificates that also need to be installed. Certificate revocation lists are not so easily managed by the cheaper options but, that said, as lonf as you know what you are doing the cheaper options are quite good on the whole.
0
 

Author Closing Comment

by:mark-199
ID: 37756640
Thanks for your informative answers. I think I now have enough information to do this in June. If there are any other issues, I will post it again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37757026
No problem - we are always here :)
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problems Accessing Website after Exchange install 5 44
Exchange 2010 - Best practice MDB Data size 8 56
exchange, script 1 28
Exchange 2010 Certs 2 17
Find out what you should include to make the best professional email signature for your organization.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now