Installing an SSL certificate on Microsoft ISA 2000 Server

Please also see: http://support.microsoft.com/default.aspx?scid=kb;US;292569

Part one: Prepare the certificate for your domain name

1. Open the email we sent you, that contains the certificate for your domain.

2. Copy the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings.

3. Paste the certificate into a blank document in a text editor. Use an editor that will not add characters, such as TextPad.

4. Save the document. We recommend that you name it YourDomainName.crt.

   We recommend that you also back up your certificate on another computer or storage device.

Part two: Move your certificate from one computer to another

This portion of the installation instructions assumes that you have a central staging area for CSRs and certificates. In this case you must export the CSR or certificate, and the associated private key, from the current computer and import it into the computer where you want to install it. This procedure can be followed any time after generating the CSR, throughout the life cycle of the certificate.

To export the CSR or certificate, and the private key

1. On the staging area computer, in the Windows task bar, click Start, then Run.
2. Type mmc and click OK.
3. In Microsoft Management Console, click File, then Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
6. Select Computer account and click Next.
7. Select Local computer and click Finish.
8. In the Add Standalone Snap-in box, click Close.
9. In the Add/Remove Snap-in box, click OK.
10. In the MMC Console Root window, open the Certificates icon.
11. Open the Personal folder, then the Certificates subfolder. You should see a certificate with the name of your Web site in the Issued To column.
12. Right-click on the certificate, select All Tasks, and then click Export.
13. In the Export window, click Next.

14. Click Yes, select Export the private key, and then click Next.

    Note: If you do not have the option to export the Private key then the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.

15. Select Personal Information Exchange, and then select the appropriate check boxes for all three sub-options.
16. Assign a password and confirm it.
17. Assign a file name and location.

18. Click Finish.

    Note: Keep this file safe. The SSL protocol depends on it.

To copy the file that you created to the ISA Server computer

1. On the ISA Server computer, in the Windows task bar, click Start, then Run.
2. Type mmc and click OK.
3. In Microsoft Management Console, click File, then Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
6. Select Computer account and click Next.
7. Select Local computer and click Finish.
8. In the Add Standalone Snap-in box, click Close.
9. In the Add/Remove Snap-in box, click OK.
10. In the MMC Console Root window, open the Certificates icon.
11. Open the Personal folder.
12. Right-click All Tasks, and then click Import.
13. On the Import Wizard, click Next.
14. Confirm that your file is listed, and then click Next.
15. Enter the password for the file that you created when you exported.
16. On the sub-option, select the Mark the private key as exportable check box.
17. Leave the import setting on Automatically, and then click Next.
18. Click Finish.

Part three: Download and save your Root and Intermediate certificates

1. Confirm which certificate you purchased, and determine which set of Root and Intermediate certificates to download.

   To confirm which certificate you purchased, review your order confirmation.

   • If you purchased SBS Instant, download set A below.

   • If you purchased SBS Secure or Secure Plus, download set B below.

   A -- SBS Instant

   • Instant Validation UTN Global Root CA
   • Instant Validation AddTrust Intermediate 1 CA
   • Instant Validation SBS Intermediate 2 CA

   -OR-

   B -- SBS Secure and Secure Plus

   • Full Validation AddTrust Root CA
   • Full Validation Intermediate CA

2. Download the Root-Intermediate set for your domain name certificate. To download, right-click each certificate file name and select Save Target As.

   Save the Root and Intermediate certificates to the same directory where you saved the certificate for your domain name.

Part four: Install the Root and Intermediate certificates

1. On the ISA Server computer, in the Windows task bar, click Start, then Run.
2. Type mmc and click OK.
3. In Microsoft Management Console, click File, then Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
6. Select Computer account and click Next.
7. Select Local computer and click Finish.
8. In the Add Standalone Snap-in box, click Close.
9. In the Add/Remove Snap-in box, click OK.
10. In the MMC Console Root window, expand the folder structure.
11. Right-click Trusted Root Certification Authorities, select All Tasks, and click Import.
12. In the Certificate Import Wizard, click Next.
13. Browse and select your Root certificate, and click Next.
14. Confirm that the certificate will be installed in the Trusted Root Certification Authorities store, and click Next.
15. When the wizard is completed, click Finish.

16. In the Console Root window, repeat the process for your Intermediate certificates -- two Intermediates for SBS Instant, one for SBS Secure or Secure Plus.

    In this case, right-click Intermediate Certification Authorities.

17. Restart the computer (not just ISA) to complete the installation of the Root and Intermediate certificates.

Part five: Configure the installation

1. On the ISA Server computer, in the Windows task bar, click Start, then Run.
2. Type mmc and click OK.
3. In Microsoft Management Console, click File, then Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
6. Select Computer account and click Next.
7. Select Local computer and click Finish.
8. In the Add Standalone Snap-in box, click Close.
9. In the Add/Remove Snap-in box, click OK.
10. In the MMC Console Root window, open the Certificates icon.
11. Open the Personal folder, then the Certificates subfolder.
12. Click Certificates and verify that there is a certificate with the name of the Web computer.
13. Right-click the certificate and click Properties.

14. If the Intended Purposes field of the certificate is set to All rather than a list of specific purposes, the following steps must be followed before the certificate can be recognized by ISA Server:

    • In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate.
    • Change the Enable all purposes for this certificate option to Enable only the following purposes.
    • Select all of the items, and then click Apply.
15. In the ISA Manager, right-click the server accepting the incoming connection, and click Properties.
16. Click the Incoming Web Requests tab.
17. Click the Internet Protocol (IP) address entry for the site that you are going to host, or the all IP addresses entry if you do not have individual IP addresses set up.
18. Click Edit.
19. Click to select the Use a server certificate to authenticate to web users check box.
20. Click Select.
21. Select your previously imported certificate.
22. Click OK.
23. Click to select the Enable SSL listeners check box.
24. Expand the Publishing folder and click Web Publishing Rules.
25. Double-click the Web Publishing Rule that will route the SSL traffic.
26. On the Bridging tab, choose the option to Redirect SSL requests as: HTTP requests (terminate the secure channel at the proxy).
27. Click OK.
28. Restart ISA Server.