{"id":287,"date":"2013-12-18T02:10:23","date_gmt":"2013-12-18T02:10:23","guid":{"rendered":"http:\/\/www.itcrumbs.com\/?p=287"},"modified":"2019-02-07T04:39:45","modified_gmt":"2019-02-07T04:39:45","slug":"exporting-and-importing-ssl-certificate-chains-in-iis-and-tmg","status":"publish","type":"post","link":"http:\/\/www.itcrumbs.com\/?p=287","title":{"rendered":"Exporting and Importing SSL certificate chains in IIS and TMG"},"content":{"rendered":"<p><a title=\"http:\/\/fixmyitsystem.com\/2011\/02\/exporting-and-importing-ssl-certificate.html\" href=\"http:\/\/fixmyitsystem.com\/2011\/02\/exporting-and-importing-ssl-certificate.html\">http:\/\/fixmyitsystem.com\/2011\/02\/exporting-and-importing-ssl-certificate.html<\/a><\/p>\n<p>My personal belief nowadays is that any business or corporate application should exclusively be published in HTTPS because really HTTP is just plain text.&#160; Usernames and password, all data etc, all going in plain intercept-able, sniff-able plain text.    <br \/>This was traditionally offset by the performance penalty associated with the encryption and decryption process.&#160; But that has not been a factor since CPUs hit GHz speeds.&#160; As for the &quot;perceived&quot; size increase for adding SSL encryption it can be called minuscule, and that has not been a factor since the end of the&#160; 28,800 modem days.    <br \/>To publish an Application in TMG with HTTPS you need the certificate to attach to your listener.    <br \/><b>Exporting Certificates<\/b>    <br \/>Exporting and importing certificates is best done from the MMC console.    <br \/>Typically a certificate is created on an IIS machine by requesting a certificate, submitting the certificate request and receiving the certificate and compling the certificate request process.&#160; The certificate can then be exported.<\/p>\n<ul>\n<li>Open the MMC console <\/li>\n<li>Files &#8211; Add\/Remove Snap In <\/li>\n<li>Select Certificates and Click add <\/li>\n<li>When Prompted select to manage certificates for &quot;Computer account&quot; <\/li>\n<li>Select Local Computer <\/li>\n<li>One open expand Certificates &#8211; Personal -Certificates <\/li>\n<\/ul>\n<p>Find the certificate that needs to be exported.  <br \/>Right Click &#8211; All tasks &#8211; Export  <br \/>Follow the wizard and respond as follows when prompted;  <\/p>\n<ul>\n<li>Yes, export the private key <\/li>\n<li>Include all certificates in the certification path if possible <\/li>\n<li>Export all extended properties <\/li>\n<li>Specify a password <\/li>\n<li>Specify a file name <\/li>\n<\/ul>\n<p>This will now give you a single PFX certificate file that you can import.&#160; It should also contain any other certificates required higher up in the certificate chain.&#160; If not you would have to import those manually.  <br \/>In the image you can see the icons are different.&#160; The first two are the root and intermediate certificates that exclude the private key.&#160; The third one &#8211; that we just exported contains the private key.&#160; This is needed to import the cert successfully into TMG  <\/p>\n<p><a href=\"http:\/\/3.bp.blogspot.com\/-vqQO7lEPSJQ\/TVO03nj4OyI\/AAAAAAAAAh8\/3Ov5wB3r14g\/s1600\/1.png\"><img decoding=\"async\" border=\"0\" src=\"http:\/\/3.bp.blogspot.com\/-vqQO7lEPSJQ\/TVO03nj4OyI\/AAAAAAAAAh8\/3Ov5wB3r14g\/s1600\/1.png\" \/><\/a><\/p>\n<p><b>Importing the certificate<\/b>    <br \/>You will have to follow this process for every TMG server in your array.<\/p>\n<ul>\n<li>Copy the file to the TMG server <\/li>\n<li>Open the MMC console <\/li>\n<li>Files &#8211; Add\/Remove Snap In <\/li>\n<li>Select Certificates and Click add <\/li>\n<li>When Prompted select to manage certificates for &quot;Computer account&quot; <\/li>\n<li>Select Local Computer <\/li>\n<li>One open expand Certificates &#8211; Personal -Certificates <\/li>\n<li>Right Click Certificates &#8211; All tasks &#8211; Import <\/li>\n<\/ul>\n<p>Follow the wizard and provide the following when prompted  <\/p>\n<ul>\n<li>File name (of your exported certificate) <\/li>\n<li>The password specified during the export <\/li>\n<li>Un-check &quot;Mark this key as exportable&quot; <\/li>\n<li>Check Include all extended properties <\/li>\n<li>Automatically select the certificate store based on the type or certificate <\/li>\n<li>Delete the certificate file you copied earlier <\/li>\n<\/ul>\n<p>Once the import is complete refresh the view.&#160; You should now see the new certificate in the personal store.&#160; If you browse down to the intermediate and Trusted root certificates you should also see the additional certificates.  <br \/>Double click your new certificate  <br \/>It should show that everything is working 100% unless there is a rex X dot in the certificate.  <br \/>On the certificate path tab you should see a nice chain all the way to the top.  <\/p>\n<p><a href=\"http:\/\/4.bp.blogspot.com\/-JskOyNeKuqU\/TVO3tBoTl-I\/AAAAAAAAAiA\/zcqQPQsbwwU\/s1600\/2.png\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"http:\/\/4.bp.blogspot.com\/-JskOyNeKuqU\/TVO3tBoTl-I\/AAAAAAAAAiA\/zcqQPQsbwwU\/s400\/2.png\" width=\"400\" height=\"160\" \/><\/a><\/p>\n<p>Once completed on all the TMG servers you can now choose this for use in a listener.   <br \/><b>Important Step<\/b> &#8211; If the certificate contains <b>intermediary or root certificates<\/b> you will have to<b> reboot the TMG server(s) <\/b>before it will function correctly    <br \/><b>Assign certificate to a listener<\/b>    <br \/>Create your listener as per usual.<\/p>\n<ul>\n<li>On the connections tab specify &quot;Enable SSL (HTTPS) connections on port:&quot;&#160; &#8211; leave it as 443 <\/li>\n<li>(Optional but reccomened&#160; &#8211; Choose&#160; &quot;Redirect all traffic from HTTP to HTTPS&quot; ) <\/li>\n<li>From the certificates tab choose the Select certificate button <\/li>\n<\/ul>\n<p>You should now only see valid certificates. and you exported and imported certificate should be available  <\/p>\n<p><a href=\"http:\/\/4.bp.blogspot.com\/-S90imSX-vhY\/TVO6noOHRkI\/AAAAAAAAAiE\/t3rBu0kYMV8\/s1600\/3.png\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"http:\/\/4.bp.blogspot.com\/-S90imSX-vhY\/TVO6noOHRkI\/AAAAAAAAAiE\/t3rBu0kYMV8\/s400\/3.png\" width=\"400\" height=\"337\" \/><\/a><\/p>\n<p>You can now use your listener to publish your site in SSL<\/p>\n","protected":false},"excerpt":{"rendered":"<p>http:\/\/fixmyitsystem.com\/2011\/02\/exporting-and-importing-ssl-certificate.html My personal belief nowadays is that any business or corporate application should exclusively be published in HTTPS because really HTTP is just plain text.&#160; Usernames and password, all data etc, all going in plain intercept-able, sniff-able plain text. This was traditionally offset by the performance penalty associated with the encryption and decryption process.&#160; But [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-287","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=287"}],"version-history":[{"count":1,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/287\/revisions"}],"predecessor-version":[{"id":681,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/287\/revisions\/681"}],"wp:attachment":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=287"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}