Friday, 8 January 2010

Generating a TMG HTTPS Inspection Certificate Using a Windows Server 2008 Certificate Authority

From what I could tell, there is no specific guidance or Microsoft documentation (yet) on creating a HTTPSi certificate using an internal Microsoft Active Directory Certificate Services (AD CS) Certificate Authority. Hence, I thought it might be useful to document the process I used recently.

Although it is possible to publish the default TMG generated HTTPSi certificate into Active Directory so that it is published to the Trusted Root Certificate Authorities certificate store on client machines, this is an unnecessary process if you already have your own internal CA. For the purposes of this article, I have used a Windows Server 2008 CA, but the process would be similar using Windows Server 2003.

The HTTPSi creation process involves the following high-level steps:

  • Create a TMG HTTPS Inspection certificate template
  • Configure TMG to communicate with the internal CA
  • Request the HTTPSi certificate from the internal CA
  • Export the HTTPSi certificate to PFX format
  • Import the HTTPSi certificate using the Forefront TMG Management Console
  • Test HTTPSi

So, looking at these steps in turn…

Create a TMG HTTPS Inspection Certificate Template

The first step in the process involves creating a certificate template which will be used to define the properties of the HTTPSi certificate.

Based upon my understanding from the documentation that is available, the HTTPSi certificate requires a Certificate Signing key usage. Therefore, a good starting point for creation of the HTTPSi template is to duplicate the existing Subordinate Certificate Authority template.

On the internal CA, start the Certificate Authority snap-in, right-click the Certificate Templates node and then select the Manage option:

In the Certificate Templates Console right-click the existing template titled Subordinate Certificate Authority, and select the Duplicate Template option:

Select Windows 2003 Server, Enterprise Edition template version:

image 

Please Note: As Forefront TMG 2010 does not support CNG (Certificate New Generation) based templates, you cannot use Windows Server 2008, Enterprise Edition templates (also called v3 templates).

On the General tab, enter Forefront TMG HTTPS Inspection, or a similar name, in the Template display name: field.

Set the required certificate lifetime in the Validity period: field or accept the default value of 5 years.

image

On the Extensions tab, select the Key Usage extension and click Edit:

Deselect all Signatures except the Certificate Signing option.

image

On the Extensions tab, select the Basic Constraints extension and click Edit:

Enable the Do not allow subject to issue certificates to other CAs option.

image

On the Security tab, ensure that TMG computer object has Read and Enroll permissions:

Please Note: If you are using a TMG Enterprise Edition, all TMG array member computer objects will require these permissions.

Click OK to complete the certificate template creation process and close the Certificate Templates Console.

In the Certificate Authority snap-in, right-click the Certificate Templates node and then select the New, Certificate Template to Issue option:

On the Enabled Certificate Templates window, select the Forefront TMG HTTPS Inspection template (or your chosen name) and click OK.

The new template should now be listed in the right-hand pane of the Certificate Authority snap-in.

Configure TMG to Communicate with the Internal CA

As discussed in one of my previous blog entries here we need to prepare TMG in order to request certificates from an internal CA. Rather than reinvent the wheel, you can simply use the following section from this previous blog article along with the included link (see below) to Stefaan’s article.

Preparing the Firewall Policy

Rather than re-invent the wheel, it makes more sense to point readers to an existing article which covers the process of defining a firewall policy which allows certificate requests from the ISA Server computer itself.

The required firewall policy changes are covered very well in the Certificate Enrollment Requires a Custom Protocol blog entry by Stefaan Pouseele. The remainder of this blog entry assumes that you have successfully completed the firewall policy changes as described above (or in a similar fashion with a slightly more open policy).

So, assuming that you now have the correct Firewall Policy in place, we can move onto requesting the actual HTTPSi certificate.

Request the HTTPSi Certificate from the Internal CA

In terms of requesting the HTTPSi certificate, we have a couple of common options:

  • Use a command line approach with Certreq
  • Use the Certificates snap-in

The first option is discussed in detail in my previous entry titled Requesting ISA Server Certificates from a Windows Server 2008 Certificate Authority and provides an ideal approach for those who are happy to work with command line tools. This approach is also the recommended option when using certificate templates that are configured to disallow private key exports.

However, as the Forefront TMG Management Console requires the HTTPSi certificate to be provided in Personal Information Exchange (PFX) format rather than selected from the local certificate store, we have no option but to create a template that allows the private key to be included as part of the PFX export process. Consequently, we are therefore able to use the Certificates snap-in to request the certificate and are not forced to use command line tools for this particular scenario; the command line approach is still viable though.

As I have already covered the command line approach (in detail) within the previous blog entry, I think it is more useful to provide a walkthrough of the Certificate snap-in approach, as this is a viable method in this scenario.

Please Note: If you are using a TMG array, the HTTPS inspection certificate is stored to the configuration storage, and array members can begin using the HTTPS inspection certificate after synchronising with the configuration storage. Subsequently, the import process only needs to be completed once per array.

Open the Certificates snap-in choosing the Local Computer account certificate store. Right-click on the Certificates node and select All Tasks, Request New Certificate.

Follow the Certificate Enrollment Wizard as follows:

On the Certificate Enrollment window select the Active Directory Enrollment Policy option and click Next.

image

Select the Forefront TMG HTTPS Inspection certificate template (or chosen name) and click on the More information is required to enroll for this certificate. Click here to configure settings link:

image

On the Subject tab, select the Common Name type from the Subject name: field and enter Microsoft Forefront TMG HTTPS Inspection Certificate Authority (or a similar name) into the Value: field. Click the Add button to assign the value:

image

On the Extensions tab, verify that the key usage contains only Key Certificate Signing and verify that the Basic constraints option of Allow subject to issue certificates is disabled.

On the Private key tab, verify the the Make private key exportable is enabled option is enabled.

Finally, click OK, followed by Enroll to finalise the certificate request. The wizard should indicate that the certificate has been enrolled successfully.

Export the HTTPSi Certificate to PFX Format

Once you have created the certificate, it will have been placed into the Local Computer account certificate store. However, the Forefront TMG Management Console requires the HTTPSi certificate to be provided in Personal Information Exchange (PFX) format rather than selected from the local certificate store. Hence, we need to export the HTTPSi certificate using a PFX format.

Open the Certificates snap-in choosing the Local Computer account certificate store. Select the Certificates node and select the newly create HTTPSi certificate from the right-hand pane. Right-click the certificate and select All Tasks, Export…

Follow the Certificate Export Wizard ensuring that you select the option to Yes, export the private key and the Personal Information Exchange – PKCS #12 (.PFX) format; save the export file to a local folder/drive.

Important: Make a note of the password used to protect the PFX file, as this will be required later.

With the HTTPSi certificate now available in PFX format, we can import this into the TMG configuration using the Forefront TMG Management Console.

Import the HTTPSi Certificate Using the Forefront TMG Management Console

Open the Forefront TMG Management Console and select the Web Access Policy node. Click on the Configure HTTPS Inspection option from the Tasks pane.

Select the Import a certificate option and click the Import button to browse to the location of the previously saved HTTPSi certificate PFX file. When prompted, provide the password used previously to protect the PFX file.

To validate that the certificate has been imported successfully, click the HTTPS Inspection Trusted Root CA Certificate Options button, followed by the the View Certificate Details… option.

The existing self-signed Forefront TMG certificate should now have been replaced by a certificate titled Microsoft Forefront TMG HTTPS Inspection Certificate Authority (or chosen name) which appears to have been issued and signed by the internal CA.

image

So, you should now have successfully completed the HTTPSi configuration and all we need to do is test the final deployment.

Test HTTPSi 

Finally, in order to test HTTPS inspection, we can simply browse to a HTTPS enabled web site using TMG as our proxy server and examine the SSL certificate properties.

Using IE with an example URL of https://www.amazon.com, you should see the following:

image

As can be seen, the issuer is now shown as the Microsoft Forefront HTTPS Inspection Certificate Authority (or the name chosen). This should be same name given as the Common Name (CN) value defined for the HTTPSi certificate during the request process.

If you examine the certificate common chain, you should also now see that the website certificate chains to the internal CA, as shown below:

image

It is interesting to note that if the destination website is using Extended Validation (EV) certificates, the use of HTTPSi will break the default behaviour of IE and will not present the usual ‘green address bar’ for a highly trustworthy web site.

This is an expected limitation that is well documented in the TMG Unsupported Configurations document available here.

Update: Adrian Dimcev also covers some interesting thoughts on this particular area (and some overlap with this article) in his recent blog entry here.

So, that completes our walkthrough, which hopefully provides a good overview of the process involved.

As certificates are a common cause of frustration for many administrators, I plan to provide some more blog articles on the subject of issuing certificates very soon, this time for use with a Unified Access Gateway (UAG) DirectAccess deployment…

16 comments:

  1. Interesting post. However, have you tried it with a webserver that requires SSL-Client Certificates? Does UAG generate those as well for the connection to the HTTPS server? Or how would that work out?

    Cheers,

    Toby

    ReplyDelete
  2. awesome article thank you

    ReplyDelete
  3. Hi, only one comment about your interesting post. Maybe someone, like medium organization, have more than one domain controller, and vpn connections with slow connections. All the domain controllers have to replicate their connections before the template can be generate using New Certificate Template to Issue. Maybe someone can not see the template during the replication of all AD DC performs. Very good post friend, thx a lot for your time and effort.

    ReplyDelete
  4. Is this CA configured as a Standalone or as an Enterprise?

    I have mine configured as Enterprise, but I notice that the result from following these steps differs in my setup. Some functionality, like the r-click menu on CA Templates node, is different.

    ReplyDelete
  5. Yep, Windows Server 2008 Enterprise subordinate CA with offline Root CA.

    ReplyDelete
  6. Hello,
    Thanks for the nice article. Although, I have the following issue: Https inspection certificate is correctly loaded. When I view it from the "View Certificate Details… option" the whole chain of certificate from the PKI is well recognized but when TMG does HTTPSi, the on-the-fly generated certificate does not include the whole chain. Therefore, my clients do not trust the CA.

    ReplyDelete
  7. So what's the process for doing this using a Enterprise Root CA on Windows Server 2008 R2 SP1?

    If I right-click \Console Root\Certificate\Personal I see All Tasks - Request New Certificate. When I click on Active Directory Enrollment Policy and select Next, I see no available certificates...

    ReplyDelete
  8. The method above is for an Enterprise Issuing CA so should be fine for an Enterprise Root CA too.

    Sounds like you missed the step where you assign the new template to your CA...

    Cheers

    JJ

    ReplyDelete
  9. Hi,
    Is there a way how to create certificate using Standalone CA (there is no certificate templates)?

    Thanks in advance,
    Aleksey
    mailto:gera.a82@gmail.com

    ReplyDelete
  10. How does this process work with Firefox, which uses its own certificate store? In your experience, what's the best way to tackle the inspection certificate with this browser? How about Safari as well?

    ReplyDelete
  11. On the Security tab, when I add the servers and click both the Read and Enroll permissions boxes, I receive the following error "Unable to save permission changes on Copy of Subordinate Certification Authority. Directory object not found."

    Any ideas what would be causing this?

    ReplyDelete
    Replies
    1. Are you logged on with Enterprise Administrator permissions?

      Delete
    2. Jason: Strangely, I just clicked through the error and it allowed me it. Not real sure what is going on there but I was able to push through the error. Interestingly, I was not logged in with Enterprise Admin credentials; just Domain Admin credentials.

      Delete
    3. Note: When exporting the HTTPSi cert to PFX format, don't select any of the these three options:

      1) Include all certificates in the certification path...
      2) Delete the private key if the export is successful...
      3) Export all extended properties...

      Doing so will cause the import process into TMG to fail.

      Delete
  12. After following this article exactly, I ran into problems using the CA-issued certificate. I've attached some screenshots that I was able to collect to show you what I encountered. Any ideas or thoughts as to what is going on would be greatly appreciated:

    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-20139-55-02AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-20139-56-35AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-20139-57-01AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-20139-57-28AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-20139-57-59AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-201310-01-22AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-201310-10-41AM.png
    http://i885.photobucket.com/albums/ac59/Fleebob/8-7-201310-11-24AM.png

    ReplyDelete