HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server

Article translations Article translations
Article ID: 324167 - View products that this article applies to.
This article was previously published under Q324167
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes how to set up Internet Security and Acceleration (ISA) Server to host Web sites by using the Secure Sockets Layer (SSL) protocol.

NOTE: This article assumes that you have already requested and installed a certificate on your Web server. If you have not done this, see the Microsoft Internet Information Server (IIS) or Internet Information Services (IIS) Help file for information about how to request an SSL certificate from an Internet certification authority.

For efficiency, you can consider server publishing the SSL site by using the HTTPS Server protocol. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
298900 How to Publish SSL Web Sites by Using Server Publishing

Export a Web Server Certificate

To set up ISA Server to host Web sites by using the SSL protocol, you must export the SSL certificate of the Web site with the associated key. If you do not have this key, you cannot use this certificate for SSL with ISA Server.

Export a Web Server Certificate from IIS 5.0

  1. Open a blank Microsoft Management Console (MMC).
  2. Add the Certificates snap-in.
  3. When you are prompted, select Computer Account and Local Computer.
  4. Expand Personal, and then expand Certificates. A certificate with the name of your Web site appears in the "Issued To" column.
  5. Right-click your certificate, click All Tasks, and then click Export.
  6. In the Export window, click Next.
  7. Click Yes, export the private key, and then click Next.

    NOTE: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
  8. Select Personal Information Exchange, and then click to select the check boxes for all three options.
  9. Assign a password and confirm it.
  10. Assign a file name and location.
  11. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
  12. Copy the file that you created to ISA Server.

Export a Web Server Certificate from IIS 4.0

  1. Click Start, click Run, type keyring.exe, and then click OK.
  2. Click the key that you want to export from Key Manager. Note that Web keys are located in the Www folder.
  3. Click Key, click Export Key, click Backup File, and then click OK.

    NOTE: You must read and understand the following Key Manager warning:
    This operation places sensitive information in a file on your hard drive. While you will be required to enter a password to use it again, loss or copying this file may compromise your security.
  4. Assign a file name and location.
  5. Click Save. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
  6. Copy the file that you created to ISA Server.

Install the Certificate to ISA

Install the Certificate to ISA or IIS from IIS 5.0

To import a key file from another server, follow these steps:
  1. On ISA Server, open the MMC, and then add the Certificate snap-in.
  2. Click the Personal folder.
  3. Right-click All Tasks, and then click Import.
  4. In the Import Wizard, click Next.
  5. Make sure that your file is listed, and then click Next.
  6. Type the password for this file.
  7. Click to select the Mark the private key as exportable check box.
  8. Leave the import setting as Automatically, and then click Next.
  9. Click Finish.
  10. Under the Personal folder, when you see a subfolder named Certificates, click the Certificates folder and verify that you see a certificate with the name of the Web computer.
  11. Right-click the certificate, and then click Properties.
  12. Examine the Intended Purposes field of the certificate. If this field is set to All instead of listing specific purposes, you must perform the following steps before ISA Server can recognize the certificate:
    1. In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate.
    2. Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all the items, and then click Apply.

Install the Certificate to ISA or IIS from IIS 4.0

To import a key file from another server, follow these steps:
  1. Click Start, click Programs, click Administrative Tools, and then click Internet Services Manager.
  2. Select the Web site that you want to enable SSL on.
  3. Open the properties of that Web site, and then click the Directory Security tab.
  4. Under Secure Communications, click Server Certificate to open the new Web Site Certificate Wizard.
  5. Click Next, and then select Import a certificate from a key manager backup file.
  6. Click Next.
  7. Type the location of your backup *.key file, and then click Next.
  8. Type the password that you set when you made the backup, and then click Next.
  9. Double-check the summary data to verify that this is the key that you want to import, and then click Next.
You can now use SSL on the new Web server by using the key pairs that you backed up from the old server. Make sure that you secure the old key file so that no one has access to the file.

Configure the Certificate in ISA

Open the ISA Manager and complete the SSL installation:
  1. Right-click the server that is going to accept the incoming connection, and then click Properties.
  2. Click the Incoming Web Requests tab.
  3. Click the Internet Protocol (IP) address entry for the site that you are going to host, or the all IP addresses entry if you do not have individual IP addresses set up.
  4. Click Edit.
  5. Click to select the Use a server certificate to authenticate to web users check box.
  6. Click Select.
  7. Select your previously imported certificate.
  8. Click OK.
  9. Click to select the Enable SSL listeners check box.
  10. Expand the Publishing folder, and then click Web Publishing Rules.
  11. Double-click the Web publishing rule that will route the SSL traffic.
  12. On the Bridging tab, locate Redirect SSL requests as, and then select HTTP requests (terminate the secure channel at the proxy).
  13. Click OK.
  14. Restart ISA Server.

REFERENCES

For additional information about ISA, Web publishing and SSL, click the article numbers below to view the articles in the Microsoft Knowledge Base:
298900 How to Publish SSL Web Sites by Using Server Publishing
313072 HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000
305052 Configuring Web Publishing Rules to Host Multiple Web Sites with Host Headers in ISA Server
296620 The Internet Clients Cannot Access the Published Web Servers

Properties

Article ID: 324167 - Last Review: July 3, 2008 - Revision: 4.2
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
Keywords: 
kbproductlink kbenv kbhowtomaster KB324167

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com