Updating a wildcard certificate on TMG

We have one TMG server, which has a wildcard certificate installed; this is the main certificate for all our SSL services and used by the following web listeners:
1. Exchange Forms Based Authentication
2. Exchange integrated
3. SSTP VPN and
4. SharePoint Forms Based Authentication

The certificate will expire in a couple of months.

This is my understanding on how to replace an existing with a new one on TMG:
* Buy a new certificate
* Import the certificate into the server IIS and export it to a PFX file??
* Replace the old certificate on each listener with the new certificate.


A few questions:
1. To renew a certificate, does the old certificate always have to be replaced by a new certificate or is there a way to update the existing certificate with a new date?
2. Does the certificate automatically appear in TMG Listener>Properties>Certificates once it has been imported in IIS or does it need to be added to the Local Certificate store>Personal folder?
3. Is it necessary for me to create a PFX file at all? What's the purpose of a PFX file in the context of renewing certificates?
4. Are there any internal servers that I need to update the certificate on? As far as I can tell, TMG bridges the connection between internal servers and itself i.e. issues it's own internal certificate to encrypt all internal LAN traffic.

Thanks
mark-199Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
1. gets replaced once it has been renewed via the new cert request.
2. No - and that is not where it goes either.
You import to the IIS - or whatever system you generated the CSR from. You then export this certificate including the private key. You then import the export file to the TMG cert store machine account, personal certs (remember to also import any intermediate certs your supplier may have provided). This can sometimes create a .pfx file but depends on options chosen during the request etc.
3. In TMG, you will need to edit any listeners that have used the existing certificate and replace it with the new certificate.
4. Only you can know this but the reasoning will be the same as in point 3... any server that has the old cert will need updating.
0
mark-199Author Commented:
Thanks

I will try this next week on our test system first.
One other question: what's the diference between a cheap "non-brand" SSL certificate and a "trusted brand" SSL certificate? Is the latter classed as a business certificate? If so why- what are the extra features and benefits of a "trusted brand" certificate?
0
Keith AlabasterEnterprise ArchitectCommented:
Not really.

The true major players are already included in the top level certificate chains and these are provided as part of the OS deployment - you can see those I mean such as Verisign if you looked in the Certifcates mmc snap-in.

The cheaper ones - godaddy for instance - are not included and they provide intermediate certificates that also need to be installed. Certificate revocation lists are not so easily managed by the cheaper options but, that said, as lonf as you know what you are doing the cheaper options are quite good on the whole.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mark-199Author Commented:
Thanks for your informative answers. I think I now have enough information to do this in June. If there are any other issues, I will post it again.
0
Keith AlabasterEnterprise ArchitectCommented:
No problem - we are always here :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.