Link to home
Create AccountLog in
Avatar of dr_dudd
dr_dudd

asked on

Need help understanding Certificate Authorities and Certificates

Hi all,

I have very little knowledge when it comes to Certificate Authorities in Windows domains and have some questions about the basic concept of how CA's work, so I thought I'd ask the experts :-)

Externally we have an internet connection which has a proper (purchased) SSL certificate which works fine. I have no questions about this.

The external internet connection goes into a MS Forefront TMG, which then goes through our ASA firewall, and then onto the internal network

Internally we have a Windows Server 2003 R2 SP2 machine called cert.company.local which is running as a Certificate Authority.

Also internally, we have a Windows Server 2008 R2 SP1 standard web-server called websrv.company.local which is running IIS7 and serving webpages to external clients.

A whole bunch of certificates which were generated against the CA on cert.company.local are about to expire, so I need to create new ones.

Additionally, the CA certificate is about to expire too.

I need to figure out in my head the framework for how certificates, CA's and TMGs/ASAs work and rely on certificates. Then maybe I can start hitting Google with some searches that return useful information :-)

1) If I create a new CA Certificate on cert.company.local, will that overwrite or override the existing one? (I don't want to break websites using the old one)

2) Does the TMG need the CA Certificate installed on it? (Does it need to know to trust cert.company.local?)

3) Does the ASA need the CA Certificate installed on it?

4) All the websites being served up by websrv.company.local have SSL certificates associated with them. Do these certificates need to be on the TMG (and/or ASA) too?

5) Is it dumb that internally, we are using an SSL connection between the TMG and the web-server?

6) How is the trust set up between the TMG and the web-server? My current thinking is that the TMG needs to know to trust the CA on cert.company.local. A request for a webpage hits the TMG, which resolves the URL to an internal IP. A secure connection is made from the TMG to the web-server, which returns its certificate to the TMG, which then verifies that it is legitimate because it knows that it was generated on cert.company.local. Is this correct or is my thinking dumber than the offspring between a TV whether girl and the village idiot?

Thank you for reading, and if anyone has any links to basic articles related to IIS7 / Windows CA's / TMG's / ASA's I'd be delighted to read them!
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of dr_dudd
dr_dudd

ASKER

Thank you! My initial question was bad, but with your two answers I managed to fix my problem. *tips his hat to arnold*