Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Updating a wildcard certificate on TMG

Posted on 2012-03-20
5
Medium Priority
?
3,292 Views
Last Modified: 2012-03-25
We have one TMG server, which has a wildcard certificate installed; this is the main certificate for all our SSL services and used by the following web listeners:
1. Exchange Forms Based Authentication
2. Exchange integrated
3. SSTP VPN and
4. SharePoint Forms Based Authentication

The certificate will expire in a couple of months.

This is my understanding on how to replace an existing with a new one on TMG:
* Buy a new certificate
* Import the certificate into the server IIS and export it to a PFX file??
* Replace the old certificate on each listener with the new certificate.


A few questions:
1. To renew a certificate, does the old certificate always have to be replaced by a new certificate or is there a way to update the existing certificate with a new date?
2. Does the certificate automatically appear in TMG Listener>Properties>Certificates once it has been imported in IIS or does it need to be added to the Local Certificate store>Personal folder?
3. Is it necessary for me to create a PFX file at all? What's the purpose of a PFX file in the context of renewing certificates?
4. Are there any internal servers that I need to update the certificate on? As far as I can tell, TMG bridges the connection between internal servers and itself i.e. issues it's own internal certificate to encrypt all internal LAN traffic.

Thanks
0
Comment
Question by:mark-199
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743204
1. gets replaced once it has been renewed via the new cert request.
2. No - and that is not where it goes either.
You import to the IIS - or whatever system you generated the CSR from. You then export this certificate including the private key. You then import the export file to the TMG cert store machine account, personal certs (remember to also import any intermediate certs your supplier may have provided). This can sometimes create a .pfx file but depends on options chosen during the request etc.
3. In TMG, you will need to edit any listeners that have used the existing certificate and replace it with the new certificate.
4. Only you can know this but the reasoning will be the same as in point 3... any server that has the old cert will need updating.
0
 

Author Comment

by:mark-199
ID: 37747342
Thanks

I will try this next week on our test system first.
One other question: what's the diference between a cheap "non-brand" SSL certificate and a "trusted brand" SSL certificate? Is the latter classed as a business certificate? If so why- what are the extra features and benefits of a "trusted brand" certificate?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 37747377
Not really.

The true major players are already included in the top level certificate chains and these are provided as part of the OS deployment - you can see those I mean such as Verisign if you looked in the Certifcates mmc snap-in.

The cheaper ones - godaddy for instance - are not included and they provide intermediate certificates that also need to be installed. Certificate revocation lists are not so easily managed by the cheaper options but, that said, as lonf as you know what you are doing the cheaper options are quite good on the whole.
0
 

Author Closing Comment

by:mark-199
ID: 37756640
Thanks for your informative answers. I think I now have enough information to do this in June. If there are any other issues, I will post it again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37757026
No problem - we are always here :)
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question