Considerations when Renewing Web Listener Certificates on ISA Server 2006

Author:

Yuri Diogenes, Security Support Engineer, Microsoft CSS Forefront Edge Team

Technical Reviewers:

Jim Harrison, Program Manager, Microsoft Forefront Edge CS

Ophir Polotsky, Supportability Program Manager, Microsoft CSS Forefront Edge Team

Nathan Bigman, Content Publish Manager, Network Access and Security Group

When ISA Server is used to terminate SSL sessions for Web publishing, you must provide a valid certificate for the Web Listener to use. Since all certificates have a limited lifetime, the certificate you install for the Web listener will eventually expire. This article will discuss the things you need to consider when renewing these certificates and the related alerts ISA will use to catch your attention.

If you are not familiar with installation and troubleshooting of Web Listener certificates, the following articles are recommended reading:

Digital Certificates for ISA Server 2004

Troubleshooting SSL Certificates in ISA Server 2004 Publishing

Although those articles are titled as ISA Server 2004 the concepts also apply to ISA Server 2006 and Forefront TMG.

Reviewing your Change Control Policy

When a new certificate is created, this certificate includes an expiration date. In a controlled environment where security policies are part of the organization’s model, change control policy should be core process. As part of this policy a process should exist to record changes related to certificate installation. The following information should be recorded:

  • Date and time that the certificate was installed on Windows Server 2003 where ISA Server 2006 is installed.

  • Certification expiration date.

  • Where the certificate’s file with the private key (PFX) is located.

  • Where the certificate’s file for the trusted root CA (CER) is located.

By recording that data in your change control policy you can easily access this information to use in the future. The way that this data is recorded might vary according to the company, there are some companies that will have proprietary software to control those changes and record in a database for example. The data custodian usually is the person with administrative controls over the electronic file. This simple measure can avoid unexpected downtime in the applications that are published through ISA Server 2006.

It is important also to mention that ISA Server 2006 SP1 introduced a new feature called Changing Tracking that you can use to verify when ISA Server’s configuration was changed, who made the change and what was changed. An example of how Change Tracking will record a change in the web listener’s certificate is shown in Figure 1:

Dd547090.05f1812d-e581-465a-bead-171b0bd6f9de(en-us,TechNet.10).gif

Figure 1 - Change Tracking showing a change in the web listener's certificate

Note

For more information about Change Tracking in ISA Server 2006 access the articles about this feature in ISA Server Team Blog.

Using ISABPA to Analyze Certificate Issues

By using ISA Best Practices Health Check analyzes you can easily see if there is a certificate problem on the ISA server. These problems are usually related to:

  • Certificate installed without the private key.

  • Certificate is expired.

  • Certificate was installed in a wrong container.

  • Certificate does not match the publishing rule “public names”

When you run ISABPA Health Check, it will create a report and will show you an error saying what type of issue you have in your certificate as shown in Figure 2:

Dd547090.5fb2b07b-5553-40b4-beae-08756c87f708(en-us,TechNet.10).gif

Figure 2 - ISA BPA triggers an error when there is a certificate issue

In this case the certificate for mail.contoso.com is expired and you can confirm if the certificate is expired or not by following the steps below:

  1. Click Start and Run and type MMC.

  2. Click File, Add/Remove Snap-in and click Add.

  3. Choose Certificate in the list and click Add.

  4. Select Computer account, click Next, leave Local Computer and click Finish.

  5. Click Close and click OK.

  6. Expand Certificates (Local Computer), Personal and click Computer.

  7. Right click the certificate that ISA BPA warned you about and click Properties.

  8. First review the General tab for the valid period of this certificate as shown in Figure 3:

    Note

    Also note that the private key statement exists; if not, this is a WARNING. Check also if the subject agrees with the public name of the rules related to this listener.

    Dd547090.43f1c89d-e665-4bbd-be45-0d012d7fc1dc(en-us,TechNet.10).gif Figure 3- General tab for an expired certificate

  9. Click the Certification Path tab and also review the message in the bottom part of the window as shown in Figure 4:

    Dd547090.c433c2fa-53b9-415c-a39a-ba5cf5efd5d9(en-us,TechNet.10).gif Figure 4 - Certificate Path tab for an expired certificate

Later in this article we will explain how to renew an expired certificate such as the one shown above.

Using ISA Management Console to Review Certificates

ISA Server Web Listener management provides visibility into the certificates installed on the computer as well as their functional state.

Note

This is an example of ISA Server 2006 Enterprise Edition with two nodes in the array.

  1. Open ISA Server Management Console.

  2. Expand Arrays, Array name, and click Firewall Policy.

  3. In the Toolbox expand Web Listeners, right click one of the Web Listeners that you have and click Properties.

  4. Click Certificates and click Select Certificate.

  5. Uncheck the option Show only valid certificates.

  6. Figure 4 shows some examples of what issues you might see:

    Dd547090.58cf380f-1025-479f-a958-fb9993f0ff6e(en-us,TechNet.10).gif Figure 5 - Certificates with problem

In the above screen you have all three types of signs (Valid, Invalid and Expired) and in the bottom part you have a list of the servers that affected by the selected certificate. Notice that in the bottom part of the window you have additional certificate information, for instance if the certificate is correctly installed or if it is valid. This can assist you in determine which array member (in an enterprise array) is affected by this certificate state.

Note

to troubleshoot certificates issues in general use the article Troubleshooting SSL Certificates in ISA Server 2004 Publishing

ISA Server 2006 shows an alert in Monitoring / Alerts informing you when a certificate is expired:

Dd547090.56836c36-2bc4-459d-b56b-01a60ed38842(en-us,TechNet.10).gif

Figure 6 - Alert on ISA Server 2006 SP1

The general description is: The certificate that was issued to <CertificateName> and installed on the ISA Server computer expired or is not yet valid.

Replacing an Expired Web Listener Certificate

The steps that are going to be described here are based on the following assumptions:

  • You already have a new certificate with the private key (PFX) on it to substitute the expired one.

  • You already trust the root CA where the certificate was issue.

  • The steps are abstract of where the certificate was obtained from (external or internal CA).

Install the new certificate in the certificate store

To install the new certificate in the certificate store:

  1. Click Start, and then click Run. In Open, type MMC, and then click OK.

  2. Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.

  3. Select Certificates, click Add, select Computer account, and then click Next.

  4. Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.

  5. Expand the Certificates node, and right-click the Personal folder.

  6. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.

  7. On the Welcome page, click Next.

  8. On the File to Import page, browse to the file that you created previously in Procedure 4, and then click Next.

  9. On the Password page, type the password for this file (if it has one), and then click Next.

  10. On the Certificate Store page select Certificate Store are set to Personal (the default settings), and then click Next.

  11. On the wizard completion page, click Finish.

Note

if this certificate is installed on more than one array member, repeat steps 1-11 above for each server

The Certificate Store will now have multiple apparently identical certificates, the new certificate and the expired certificate. Do not remove the old certificate from the container now as you will receive an error when you open the Web Listener that has this certificate associated with it.

Associate the new certificate with the Web Listener

To associate the new certificate with the Web Listener:

  1. Open ISA Server 2006 Console, and then click Firewall Policy.

  2. Expand Toolbox, expand Web Listeners, right click the Web Listener that you want to update and click Properties.

  3. Click Certificates and click Select Certificate button.

  4. Make sure that the certificate shows green as valid, select the certificate and then click Select button as shown below:

    Dd547090.e3f08164-4687-439c-af60-8e602b526c6f(en-us,TechNet.10).gif

    Figure 7 - New certificate correctly installed on ISA Server 2006

    Note

    if any server indicates that the selected certificate is invalid, you must cancel and correct the indicated problem before you can complete this process successfully

  5. Click OK and then click Apply.

After applying the changes, make sure that all nodes are synchronized (in case you are using ISA Server 2006 Enterprise Edition) as shown below:

Dd547090.83eefbe7-a98f-4862-b9ef-a45f7abaefb3(en-us,TechNet.10).gif

Figure 8 - Wait until you see the ISA Array members in Sync.

Remove the expired certificate

Note

before performing these steps make sure that there is no Web Listener using this certificate.

To remove the expired certificate:

  1. Click Start, and then click Run. In Open, type MMC, and then click OK.

  2. Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.

  3. Select Certificates, click Add, select Computer account, and then click Next.

  4. Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.

  5. Expand the Certificates node and expand Personal folder.

  6. Right click the certificate that it is expired and click Delete as shown below:

    Dd547090.6a693419-c114-47a8-bf7c-3a41b58e3b5f(en-us,TechNet.10).gif

    Figure 9 - Removing the old certificate

    Note

    if this certificate is installed on more than one array member, repeat steps 1-6 above for each server

Certificate Considerations for ISA Server CSS in Workgroup Deployments

The other certificate that is critical to ISA Server functionality is the certificate used by CSS when installed in a workgroup environment. The following article discusses this scenario:

ISA Server 2004 Enterprise Edition in a Workgroup

Although this article is titled as ISA Server 2004 the concepts also apply to ISA Server 2006.

The CSS certificate must satisfy the following requirements:

  • Subject name matches the CSS name provided to ISA

  • Enhanced Key Usage includes Server Authentication

  • Includes the Private key

  • Key Usage includes Digital Signing and Key Encipherment

  • Issued by CA for which ISA server Local machine store holds a current certificate in the local machine trusted root store

  • Installed during CSS installation process

When the certificated used by CSS expires you need to:

  • Install a new server certificate on the Configuration Storage server.

  • Install a root certificate on each array member to indicate that it trusts the Certification Authority that issued the server certificate.

To install the new CSS certificate you must use the ISACertTool for Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition. This tool may be downloaded from Microsoft Download Center.

Conclusion

Certificate management is a common aspect of overall server monitoring and management process, but is even more important to many ISA deployments than for the applications ISA may publish. When ISA experiences certificate failure, this can affect more than one application, causing line-of-business problems for a great many users and customers. This article was written to help simplify this task for you and help you keep your ISA deployment working as it should.