+ Post New Thread
Results 1 to 12 of 12
Internet Related/Filtering/Firewall Thread, Install SSL on TMG in Technical; I'm trying to put our (purchased) SSL cert onto our TMG server to secure access to OWA. I've installed the ...
  1. #1
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,355
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    30

    Install SSL on TMG

    I'm trying to put our (purchased) SSL cert onto our TMG server to secure access to OWA. I've installed the intermediate cert and the actual cert into the Computer certificates using the MMC plugin, and I can see both installed.

    Problem is, when I try and assign the certificate to the listener, TMG shows the certificate as invalud - private key not installed.

    Am I missing a step out? I though the intermediate cert identified the CA we bought it from, and the certificate itself was for us to secure our site?

  2. #2

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,187
    Thank Post
    285
    Thanked 775 Times in 585 Posts
    Rep Power
    336
    Are you sure you've got the right type of certificate? You need a Unified Communications SSL certificate with all the subject alternative names (OWA url, autodiscover url and internal CAS server names).

  3. #3
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,208
    Thank Post
    137
    Thanked 345 Times in 291 Posts
    Rep Power
    87
    Did you create the cert request on the same server as TMG?

    If not then import the cert onto the server that you created the request on then right click and select export - you should have the option to include the private key and it will require you to select a password.
    Then import this exported key onto your TMG server (again enter the password) and this should show as a valid key.

    Even if you created the cert request on the TMG server try this anyway as any key that you get from a provider won't include the private key and so it needs to be mashed into the cert to make it work.

  4. #4
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,355
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    30
    Ahh no I used an internal web server to create the CSR, I'll try importing and exporting it from there!

    Edit - when I try this there is no option to export the private key? I requested a domain wildcard ssl for several sites/subsites that will be on our domain so the cert shows *.domain
    Last edited by Sheridan; 8th July 2011 at 03:56 PM.

  5. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,193
    Thank Post
    875
    Thanked 2,720 Times in 2,303 Posts
    Blog Entries
    11
    Rep Power
    781
    Are you trying to export it from the MMC or the IIS, sometimes you can grab it out of IIS easier depending on the server version.

  6. Thanks to SYNACK from:

    Sheridan (11th July 2011)

  7. #6
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,208
    Thank Post
    137
    Thanked 345 Times in 291 Posts
    Rep Power
    87
    Quote Originally Posted by Sheridan View Post
    Ahh no I used an internal web server to create the CSR, I'll try importing and exporting it from there!

    Edit - when I try this there is no option to export the private key? I requested a domain wildcard ssl for several sites/subsites that will be on our domain so the cert shows *.domain
    You might have the problem described here then - Certification Authority Maintenance

    Give the repair store command a go (at the very bottom of the Microsoft part of the article) you can find the certs hex key by going into its properties.

  8. Thanks to jamesfed from:

    Sheridan (11th July 2011)

  9. #7
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    38

  10. #8
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,355
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    30
    Finally got it to export with the private key - from the server where the CSR was created but using the IIS dialogue instead of the MMC - bit of a carry on but got there in the end. Cheers for the ideas!

  11. #9
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,208
    Thank Post
    137
    Thanked 345 Times in 291 Posts
    Rep Power
    87
    Quote Originally Posted by Sheridan View Post
    Finally got it to export with the private key - from the server where the CSR was created but using the IIS dialogue instead of the MMC - bit of a carry on but got there in the end. Cheers for the ideas!
    Good to hear it worked in the end! Personaly I hate all the messing around that needs to be done with SSLs and its why we get them on a 5 year basis!

  12. #10
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,355
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    30
    I'm still messing about with this.Installed the cert onto the TMG and its now securing the OWA site I wanted to publish. Works fine generally with IE browsers and seems to still generate a warning on Firefox/Seamonkey.

    So I merged the server certificate and intermediate certificate together, and imported that. Same problem. Oddly the TMG shows the certificate as valid all the way up the certification chain so it has no problem with the intermediate ca, so what is firefox's issue with the certificate? Even more odd, the same certificate is installed on our citrix access gateway and all the browsers I've tried so far (firefox,ie,seamonkey,safari) have been happy with it!

  13. #11
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,662
    Thank Post
    166
    Thanked 220 Times in 203 Posts
    Rep Power
    67
    Is it an ipsCA certificate by any chance?

  14. #12
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,355
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    30
    No its a Globalsign one from reg123 - its a domain wildcard one.

SHARE:
+ Post New Thread

Similar Threads

  1. SSL Certificate for TMG 2010 SSTP VPN
    By jamesfed in forum Enterprise Software
    Replies: 5
    Last Post: 7th September 2011, 12:03 PM
  2. TMG 2010 and Smoothwall - TMG won't update definitions
    By Sheridan in forum Internet Related/Filtering/Firewall
    Replies: 5
    Last Post: 12th May 2011, 10:09 AM
  3. Sharepoint 2010/TMG SSL
    By craigg in forum Windows Server 2008 R2
    Replies: 11
    Last Post: 11th February 2011, 02:18 PM
  4. Problem with TMG, RDWeb and SSL
    By Gatt in forum Internet Related/Filtering/Firewall
    Replies: 10
    Last Post: 29th November 2010, 07:26 PM
  5. Replies: 1
    Last Post: 5th November 2008, 10:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •