[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Updating a wildcard certificate on TMG

Posted on 2012-03-20
5
Medium Priority
?
3,389 Views
Last Modified: 2012-03-25
We have one TMG server, which has a wildcard certificate installed; this is the main certificate for all our SSL services and used by the following web listeners:
1. Exchange Forms Based Authentication
2. Exchange integrated
3. SSTP VPN and
4. SharePoint Forms Based Authentication

The certificate will expire in a couple of months.

This is my understanding on how to replace an existing with a new one on TMG:
* Buy a new certificate
* Import the certificate into the server IIS and export it to a PFX file??
* Replace the old certificate on each listener with the new certificate.


A few questions:
1. To renew a certificate, does the old certificate always have to be replaced by a new certificate or is there a way to update the existing certificate with a new date?
2. Does the certificate automatically appear in TMG Listener>Properties>Certificates once it has been imported in IIS or does it need to be added to the Local Certificate store>Personal folder?
3. Is it necessary for me to create a PFX file at all? What's the purpose of a PFX file in the context of renewing certificates?
4. Are there any internal servers that I need to update the certificate on? As far as I can tell, TMG bridges the connection between internal servers and itself i.e. issues it's own internal certificate to encrypt all internal LAN traffic.

Thanks
0
Comment
Question by:mark-199
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743204
1. gets replaced once it has been renewed via the new cert request.
2. No - and that is not where it goes either.
You import to the IIS - or whatever system you generated the CSR from. You then export this certificate including the private key. You then import the export file to the TMG cert store machine account, personal certs (remember to also import any intermediate certs your supplier may have provided). This can sometimes create a .pfx file but depends on options chosen during the request etc.
3. In TMG, you will need to edit any listeners that have used the existing certificate and replace it with the new certificate.
4. Only you can know this but the reasoning will be the same as in point 3... any server that has the old cert will need updating.
0
 

Author Comment

by:mark-199
ID: 37747342
Thanks

I will try this next week on our test system first.
One other question: what's the diference between a cheap "non-brand" SSL certificate and a "trusted brand" SSL certificate? Is the latter classed as a business certificate? If so why- what are the extra features and benefits of a "trusted brand" certificate?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 37747377
Not really.

The true major players are already included in the top level certificate chains and these are provided as part of the OS deployment - you can see those I mean such as Verisign if you looked in the Certifcates mmc snap-in.

The cheaper ones - godaddy for instance - are not included and they provide intermediate certificates that also need to be installed. Certificate revocation lists are not so easily managed by the cheaper options but, that said, as lonf as you know what you are doing the cheaper options are quite good on the whole.
0
 

Author Closing Comment

by:mark-199
ID: 37756640
Thanks for your informative answers. I think I now have enough information to do this in June. If there are any other issues, I will post it again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37757026
No problem - we are always here :)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question