10 February 2011

Exporting and Importing SSL certificate chains in IIS and TMG

My personal belief nowadays is that any business or corporate application should exclusively be published in HTTPS because really HTTP is just plain text.  Usernames and password, all data etc, all going in plain intercept-able, sniff-able plain text.

This was traditionally offset by the performance penalty associated with the encryption and decryption process.  But that has not been a factor since CPUs hit GHz speeds.  As for the "perceived" size increase for adding SSL encryption it can be called minuscule, and that has not been a factor since the end of the  28,800 modem days.

To publish an Application in TMG with HTTPS you need the certificate to attach to your listener.

Exporting Certificates
Exporting and importing certificates is best done from the MMC console.

Typically a certificate is created on an IIS machine by requesting a certificate, submitting the certificate request and receiving the certificate and compling the certificate request process.  The certificate can then be exported.


  • Open the MMC console
  • Files - Add/Remove Snap In
  • Select Certificates and Click add
  • When Prompted select to manage certificates for "Computer account"
  • Select Local Computer
  • One open expand Certificates - Personal -Certificates


Find the certificate that needs to be exported.
Right Click - All tasks - Export

Follow the wizard and respond as follows when prompted;


  • Yes, export the private key
  • Include all certificates in the certification path if possible
  • Export all extended properties
  • Specify a password
  • Specify a file name


This will now give you a single PFX certificate file that you can import.  It should also contain any other certificates required higher up in the certificate chain.  If not you would have to import those manually.

In the image you can see the icons are different.  The first two are the root and intermediate certificates that exclude the private key.  The third one - that we just exported contains the private key.  This is needed to import the cert successfully into TMG


Importing the certificate

You will have to follow this process for every TMG server in your array.


  • Copy the file to the TMG server
  • Open the MMC console
  • Files - Add/Remove Snap In
  • Select Certificates and Click add
  • When Prompted select to manage certificates for "Computer account"
  • Select Local Computer
  • One open expand Certificates - Personal -Certificates
  • Right Click Certificates - All tasks - Import


Follow the wizard and provide the following when prompted

  • File name (of your exported certificate)
  • The password specified during the export
  • Un-check "Mark this key as exportable"
  • Check Include all extended properties
  • Automatically select the certificate store based on the type or certificate
  • Delete the certificate file you copied earlier


Once the import is complete refresh the view.  You should now see the new certificate in the personal store.  If you browse down to the intermediate and Trusted root certificates you should also see the additional certificates.

Double click your new certificate
It should show that everything is working 100% unless there is a rex X dot in the certificate.
On the certificate path tab you should see a nice chain all the way to the top.

Once completed on all the TMG servers you can now choose this for use in a listener.

Important Step - If the certificate contains intermediary or root certificates you will have to reboot the TMG server(s) before it will function correctly

Assign certificate to a listener

Create your listener as per usual.

  • On the connections tab specify "Enable SSL (HTTPS) connections on port:"  - leave it as 443
  • (Optional but reccomened  - Choose  "Redirect all traffic from HTTP to HTTPS" )
  • From the certificates tab choose the Select certificate button

You should now only see valid certificates. and you exported and imported certificate should be available



You can now use your listener to publish your site in SSL.

No comments:

Post a Comment