Someone asked how to install certificates acquired for Exchange 2007 on an ISA 2006 server when publishing services such as Outlook Web Access.
Although ISA is growing old, and though Microsoft intends to discontinue the ISA/TMG product line altogether, there are still organizations that may use the Exchange 2007 - ISA 2006 combination for yet a while.
So, if for some reason the installation of the certificate(s) on the ISA server has not been completed, or needs to be redone, I'll share the procedure I followed below. This post is based notes taken so I could reproduce the same operations if needed a second time, or somewhere else.
First of all, I'm going to set the context for this task.
- Besides the certificate delivered for my organization, there was an "intermediate certificate" that I had to install on the Exchange server first. Therefore, we have to install two certificates on the ISA server: a) the intermediate certificate and the b) certificate issued to the organization. It is possible that other certificate authorities operate differently, in which case there may only be one certificate to install.
- Since I saved the intermediate certificate obtained from the certificate authority, I do not need to export it from the Exchange server. In the process described below, I will simply import it as I did on the Exchange server.
- Although the external domain name on my certificate ( mail.mydomain.net ) is that of a domain used solely for practice, I have proceeded as I usually would when posting "private" information on the Internet: the name has been erased.
- Lastly, the operations described below take place in the CERTMGR console. You access this console by typing "mmc" (without quotes) in the Start | Run box. You then add the Certificate Manager console, making sure to use the "Local Computer" option. The certificates in question should be placed in the local computer certificate store and not in the personal user store. I will make the assumption that the reader either knows how to perform this operation or is able to find the information online or elsewhere.
Assuming that the intermediate certificate is still available (we could export it from the Exchange server otherwise) there are 3 steps to the process:
- Export the organization's certificate from the Exchange 2007 server
- Import the intermediate certificate on the ISA 2006 server.
- Import the organization's certificate from the Exchange 2007 server
1. Export certificate from Exchange 2007 server
1.a - Export your certificate from the Exchange 2007 server (in the certificate manager console).
On the "Welcome" page, click "Next".
1.b Export the private key. Click "Next" (and on the following screens as appropriate).
1.c Export extended properties.
1.d Enter a password to protect the private key. Click "Next" and "Finish" as needed.
2. Import the intermediate cert on the ISA 2006 server.
2.a On the ISA server, in the CERTMGR.MSC, browse to the "Certificates" subfolder of the "Intermediate Certification Authorities" parent folder. Select "All Tasks", then "Import":
2.b Browse to the location where you placed the intermediate certificate provided by the third party certification authority. You may have to select the "PKCS #7" option to see the certificate.
2.c Add the selected certificate to the Intermediate Certification Authorities store:
Click "Next" or "Finish" as needed.
3. Import the organization's certificate.
3.1 On the ISA server, in the CERTMGR.MSC, go to the Console Root | Certificates (Local Computer) | Personal and right-click on the "Certificates" folder. Select "Import".
3.2 Click "Next" at the Welcome Screen. Browse to the location of the .pfx file (the exported certificate) created in Step 1. Click "Open" and "Next" as needed to import the certificate.
3.3 Enter the password (entered above when the certificate was exported to the .pfx file in Step 1) and check the "Mark the key as exportable" option. Read the détails to see why this can be useful.
3.4 Place the certificate in the proper store. If you followed the path correctly above, this should be the Certificates store for the "Local Computer" as opposed to a local user (person). Click "Next" and "Finish" as needed.
3.5 The imported certificate should now appear in the folder.
But does it work? Well, following this procedure, I was able to provide published OWA services (published on ISA) for the initial Exchange 2007 installation and then the Exchange 2010 server after the practice migration.
Of course, a complete ISA or TMG installation is more than just importing certificates. There would be much more to configure for such a project.