How to Renew Server Certificate on a TMG Forefront Stand Alone Array in Workgroup Environment.

Steps to follow to Renew Server Certificate on TMG Configuration Storage server.

Creating Server Certificate for TMG Configuration Storage server via CA :

Prerequisite

1. As a Prerequisite , you must have a local Certification authority which could issue certificates for the TMG servers.
2. You must have access to any IIS server which will be used to create certificate request.

Creating Certificate Request from IIS : 

1. Open the IIS Manager, click on server name node from the left pane and click on "Server Certificates" from the middle pane.
2. Click on the "Create Certificate Request" from the right pane
3. In the "Common name" field type the Fully Qualified Domain Name (FQDN) of the TMG server that will act as an Array Manager. If your Array Manager server name is TMG01 and workgroup name is workgroup.local then we will use "TMG01.workgroup.local". Fill the remaining fields as per your organizational details like OU, Location, county etc.
4. Choose "Microsoft RSA SChannell Cryptographic Provider" for the "Cryptographic service provider" and  2048 as "Bit lenght".
5. Save the certificate request as C:\tmg01.req.

Creating Certificate based on Request file created in above section

1. Logon to the CA computer and  browse to: http://localhost/certsrv.
2. Click Request a certificate.
3. Select Advanced Certificate Request.
4. Click on "Submit a certificate request by using  a base-64-encoded CMC or PKCS #10 file, or submit a renewall request  by using a base-64-encoded PKCMS #7 file".
5. Paste the contents of the tmg01.req file that we had created earlier from IIS to the "Base-64-encoded certificate request" field. In case you have a drop-box with Certificate Templates list, select "Web Server" template.
6. Your certificate request is now submitted to the CA. In case the "Request Handling" property of your CA is set to automatically issue certificates you will be presented with the following page where you have the possibility to download your issued "cer" file. Click on "Download certificate" and save the file as C:\tmg01.cer.
7. In case the "Request Handling" is set to manually issue the certificates by the administrator then you will have to perform the following steps.
8. Open the "Certification Authority" console on your Issuing CA server and click on "Pending Requests". You should see your request in the right pane.
9. Right click on the request and select All Tasks > Issue.
10. Browse to the CA web site again (https://yourservername/certsrv) and click "View the status of the pending certificate request". There should be your "Saved-Certificate Request" listed.
11. Download the "cer" file as we did in Step 6.
12. Now return to the IIS Manager console from which you have created the certificate request and now select "Complete Certificate Request".
13. In the "Specify Certificate Authority Response" screen browse to the "cer" file you  have downloaded from the CA and enter a friendly name for the certificate. I usually type the same name as common name.
14. You have now completed the procedure of issuing the "Server Authentication" certificate. If you open the "Local Computer" Certificates store on the server where you have requested the certificate you should see the certificate in the Personal > Certificates folder. The certificate icon should have a little yellow key pictured which means that you have both private and public key. We must export the certificate with private and public keys so that we can import it on our TMG server.

Exporting the server certificate created in Previous section.

To export the server certificate

1. On IIS server, From the Start menu, click Run. Type MMC, and then click OK.
2. In MMC, click File, and then click Add/Remove Snap-in.
3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certificates, and then click Add.
4. In Certificates snap-in, select Computer account, and then click Next. In Select Computer, verify that Currect User is selected, and then click Finish. Click Close, and then click OK.
5. In the MMC console, expand Certificates , expand Personal, and click Certificates.
6. In the details pane, right-click the certificate you just created (it will show its fully qualified domain name (FQDN) of the configuration storage server), point to AllTasks, and select Export.
7. On the Welcome page of the Certificate Export Wizard, click Next.
8. On the Export Private Key page, select Yes, export the private key, and then click Next.
9. Personal Information Exchange - PKCS #12 (.PFX)" should be selected. Unmark all the checkboxes and click Next.
10. On the Password page, you may provide and confirm a password, and then click Next.
11. On the File to Export page, click Browse, and browse to a location where you want to store the exported certificate file. Select be any location on that machine from which the file can be easily retrieved by Forefront TMG installation when installing Forefront TMG services which includes the configuration storage server. Click Next.
12. On the summary page, click Finish.
13. Now that we have our certificate ready for import there is still one thing we must do. Since we are creating TMG array in a workgroup mode we must import the root certificate of the CA that issued the certificate to all of the TMG servers that will participate in array. But first we must export the root CA certificate from a computer that has it.
14. Open the "Local Computer" Certificates store on the Issuing CA computer or on some other computer which is a domain member in a domain where CA resides.
15. Navigate to the Trusted Root Certification Authorities > Certificates, right-click on the root certificate from the CA which issued your certificate and select All Tasks > Export.
16. elect "DER encoded binary X.509 (.CER)" and click Next.
17. Save the "cer" file to disk. In our example it is C:\CompanyRootCA.cer.
18. Now we have both the PFX file which contains our public and private keys for the TMG computer certificate and a CER file that contains a public key from our root CA. The next thing we must do is to import the root certificate to each TMG server that will participate in the array and to import the "Server Authentication" certificate.
19. 
    

Installing storage server certificate 

1. Open the "Local Computer" Certificates store on each TMG server and import the root certificate "cer" file to the "Trusted Root Certification Authorities".
2. In the Forefront TMG Management console, in the tree, click the System node, and in the details pane, click the Servers tab.
3. In the Tasks tab, click Install Server Certificate.
4. Browse for the server certificate which you recently imported on the server TMG array manager TMG01. 
5. Make sure that the Automatically create the root CA certificate on this array manager check box is not selected. If it is checked, it has always resulted in error.
6. Now if you open the Certificates store for the Windows service named ISASTGCTRL you should see the imported certificate with the private key in the Personal store.

Testing the connection

1. Now there is only thing left and that is to test the secure LDAP connection to the Array Manager server. We will use ldp.exe for this. You should be able to run it from your TMG servers.
2. Open ldp.exe and click on Connection > Connect. Type FQDN of your TMG server that will act as Array Manager and type 2172 for the port number as this is the port on which ISASTGCTRL service listens. Click on the SSL and click Connect.

           

      

    3. If the connection is successful you will see the screen like the following:

         

Reference :       http://www.itsolutionbraindumps.com/2011/01/how-to-properly-issue-certificate-for.html





Cheers !!!!!!!!!!!!!