From what I could tell, there is no specific guidance or Microsoft documentation (yet) on creating a HTTPSi certificate using an internal Microsoft Active Directory Certificate Services (AD CS) Certificate Authority. Hence, I thought it might be useful to document the process I used recently.
Although it is possible to publish the default TMG generated HTTPSi certificate into Active Directory so that it is published to the Trusted Root Certificate Authorities certificate store on client machines, this is an unnecessary process if you already have your own internal CA. For the purposes of this article, I have used a Windows Server 2008 CA, but the process would be similar using Windows Server 2003.
The HTTPSi creation process involves the following high-level steps:
- Create a TMG HTTPS Inspection certificate template
- Configure TMG to communicate with the internal CA
- Request the HTTPSi certificate from the internal CA
- Export the HTTPSi certificate to PFX format
- Import the HTTPSi certificate using the Forefront TMG Management Console
- Test HTTPSi
So, looking at these steps in turn…
Create a TMG HTTPS Inspection Certificate Template
The first step in the process involves creating a certificate template which will be used to define the properties of the HTTPSi certificate.
Based upon my understanding from the documentation that is available, the HTTPSi certificate requires a Certificate Signing key usage. Therefore, a good starting point for creation of the HTTPSi template is to duplicate the existing Subordinate Certificate Authority template.
On the internal CA, start the Certificate Authority snap-in, right-click the Certificate Templates node and then select the Manage option:
In the Certificate Templates Console right-click the existing template titled Subordinate Certificate Authority, and select the Duplicate Template option:
Select Windows 2003 Server, Enterprise Edition template version:
Please Note: As Forefront TMG 2010 does not support CNG (Certificate New Generation) based templates, you cannot use Windows Server 2008, Enterprise Edition templates (also called v3 templates).
On the General tab, enter Forefront TMG HTTPS Inspection, or a similar name, in the Template display name: field.
Set the required certificate lifetime in the Validity period: field or accept the default value of 5 years.
On the Extensions tab, select the Key Usage extension and click Edit:
Deselect all Signatures except the Certificate Signing option.
On the Extensions tab, select the Basic Constraints extension and click Edit:
Enable the Do not allow subject to issue certificates to other CAs option.
On the Security tab, ensure that TMG computer object has Read and Enroll permissions:
Please Note: If you are using a TMG Enterprise Edition, all TMG array member computer objects will require these permissions.
Click OK to complete the certificate template creation process and close the Certificate Templates Console.
In the Certificate Authority snap-in, right-click the Certificate Templates node and then select the New, Certificate Template to Issue option:
On the Enabled Certificate Templates window, select the Forefront TMG HTTPS Inspection template (or your chosen name) and click OK.
The new template should now be listed in the right-hand pane of the Certificate Authority snap-in.
Configure TMG to Communicate with the Internal CA
As discussed in one of my previous blog entries here we need to prepare TMG in order to request certificates from an internal CA. Rather than reinvent the wheel, you can simply use the following section from this previous blog article along with the included link (see below) to Stefaan’s article.
Preparing the Firewall Policy
Rather than re-invent the wheel, it makes more sense to point readers to an existing article which covers the process of defining a firewall policy which allows certificate requests from the ISA Server computer itself.
The required firewall policy changes are covered very well in the Certificate Enrollment Requires a Custom Protocol blog entry by Stefaan Pouseele. The remainder of this blog entry assumes that you have successfully completed the firewall policy changes as described above (or in a similar fashion with a slightly more open policy).
So, assuming that you now have the correct Firewall Policy in place, we can move onto requesting the actual HTTPSi certificate.
Request the HTTPSi Certificate from the Internal CA
In terms of requesting the HTTPSi certificate, we have a couple of common options:
- Use a command line approach with Certreq
- Use the Certificates snap-in
The first option is discussed in detail in my previous entry titled Requesting ISA Server Certificates from a Windows Server 2008 Certificate Authority and provides an ideal approach for those who are happy to work with command line tools. This approach is also the recommended option when using certificate templates that are configured to disallow private key exports.
However, as the Forefront TMG Management Console requires the HTTPSi certificate to be provided in Personal Information Exchange (PFX) format rather than selected from the local certificate store, we have no option but to create a template that allows the private key to be included as part of the PFX export process. Consequently, we are therefore able to use the Certificates snap-in to request the certificate and are not forced to use command line tools for this particular scenario; the command line approach is still viable though.
As I have already covered the command line approach (in detail) within the previous blog entry, I think it is more useful to provide a walkthrough of the Certificate snap-in approach, as this is a viable method in this scenario.
Please Note: If you are using a TMG array, the HTTPS inspection certificate is stored to the configuration storage, and array members can begin using the HTTPS inspection certificate after synchronising with the configuration storage. Subsequently, the import process only needs to be completed once per array.
Open the Certificates snap-in choosing the Local Computer account certificate store. Right-click on the Certificates node and select All Tasks, Request New Certificate.
Follow the Certificate Enrollment Wizard as follows:
On the Certificate Enrollment window select the Active Directory Enrollment Policy option and click Next.
Select the Forefront TMG HTTPS Inspection certificate template (or chosen name) and click on the More information is required to enroll for this certificate. Click here to configure settings link:
On the Subject tab, select the Common Name type from the Subject name: field and enter Microsoft Forefront TMG HTTPS Inspection Certificate Authority (or a similar name) into the Value: field. Click the Add button to assign the value:
On the Extensions tab, verify that the key usage contains only Key Certificate Signing and verify that the Basic constraints option of Allow subject to issue certificates is disabled.
On the Private key tab, verify the the Make private key exportable is enabled option is enabled.
Finally, click OK, followed by Enroll to finalise the certificate request. The wizard should indicate that the certificate has been enrolled successfully.
Export the HTTPSi Certificate to PFX Format
Once you have created the certificate, it will have been placed into the Local Computer account certificate store. However, the Forefront TMG Management Console requires the HTTPSi certificate to be provided in Personal Information Exchange (PFX) format rather than selected from the local certificate store. Hence, we need to export the HTTPSi certificate using a PFX format.
Open the Certificates snap-in choosing the Local Computer account certificate store. Select the Certificates node and select the newly create HTTPSi certificate from the right-hand pane. Right-click the certificate and select All Tasks, Export…
Follow the Certificate Export Wizard ensuring that you select the option to Yes, export the private key and the Personal Information Exchange – PKCS #12 (.PFX) format; save the export file to a local folder/drive.
Important: Make a note of the password used to protect the PFX file, as this will be required later.
With the HTTPSi certificate now available in PFX format, we can import this into the TMG configuration using the Forefront TMG Management Console.
Import the HTTPSi Certificate Using the Forefront TMG Management Console
Open the Forefront TMG Management Console and select the Web Access Policy node. Click on the Configure HTTPS Inspection option from the Tasks pane.
Select the Import a certificate option and click the Import button to browse to the location of the previously saved HTTPSi certificate PFX file. When prompted, provide the password used previously to protect the PFX file.
To validate that the certificate has been imported successfully, click the HTTPS Inspection Trusted Root CA Certificate Options button, followed by the the View Certificate Details… option.
The existing self-signed Forefront TMG certificate should now have been replaced by a certificate titled Microsoft Forefront TMG HTTPS Inspection Certificate Authority (or chosen name) which appears to have been issued and signed by the internal CA.
So, you should now have successfully completed the HTTPSi configuration and all we need to do is test the final deployment.
Finally, in order to test HTTPS inspection, we can simply browse to a HTTPS enabled web site using TMG as our proxy server and examine the SSL certificate properties.
Using IE with an example URL of https://www.amazon.com, you should see the following:
As can be seen, the issuer is now shown as the Microsoft Forefront HTTPS Inspection Certificate Authority (or the name chosen). This should be same name given as the Common Name (CN) value defined for the HTTPSi certificate during the request process.
If you examine the certificate common chain, you should also now see that the website certificate chains to the internal CA, as shown below:
It is interesting to note that if the destination website is using Extended Validation (EV) certificates, the use of HTTPSi will break the default behaviour of IE and will not present the usual ‘green address bar’ for a highly trustworthy web site.
This is an expected limitation that is well documented in the TMG Unsupported Configurations document available here.
Update: Adrian Dimcev also covers some interesting thoughts on this particular area (and some overlap with this article) in his recent blog entry here.
So, that completes our walkthrough, which hopefully provides a good overview of the process involved.
As certificates are a common cause of frustration for many administrators, I plan to provide some more blog articles on the subject of issuing certificates very soon, this time for use with a Unified Access Gateway (UAG) DirectAccess deployment…