Share via


Requesting a certificate from a commercial certification authority

Applies To: Forefront Threat Management Gateway (TMG)

To request a certificate from a commercial certification authority

  1. On the computer that hosts the Web site that you plan to publish, click Start, and then point to Administrative Tools. Click Internet Information Services (IIS) Manager.

  2. In Internet Information Services (IIS) Manager, expand Web Sites, right-click the name of the applicable Web site, and then click Properties.

  3. On the Properties dialog box, click the Directory Security tab.

  4. On the Directory Security tab, click the Server Certificate button to launch the Web Server Certificate Wizard.

  5. On the Welcome to the Web Server Certificate Wizard page, click Next.

  6. On the Server Certificate page, select Create a new certificate, and then click Next.

  7. On the Delayed or Immediate Request page, select Prepare the Request now, but Send it later, and then click Next.

  8. On the Name and Security Settings page, provide a friendly name for the site. This name is not critical to the functioning of the certificate, so pick a name that is easy to use and to remember.

  9. In the Bit length drop-down list, select the bit length of the key that you want to use, indicate whether you want to select a cryptographic service provider (CSP) for the certificate, and then click Next.

  10. On the Organization Information page, type the name of your organization in the Organization text box, and type an organizational unit name in the Organizational Unit text box. For example, if your company is called Fabrikam, Inc. and you are setting up a Web server for the Sales department, you could type Fabrikam for the organization and Sales for the organizational unit. Click Next.

  11. On the Your Site’s Common Name page, provide the common name (CN) for your Web site in the Common name text box.

    Important

    In Web publishing, if this certificate will be exported to the Forefront TMG computer, the name on the certificate must match the public name that you use to publish the Web site in the Web publishing rule. If this certificate will remain on the Web server, the name on the certificate must match the host name that Forefront TMG uses in HTTP request messages sent to the Web site, which is the internal site name specified on the To tab of the Web publishing rule.

    In the case of server publishing, the certificate should have the name that users will use to connect to the server.

  12. Click Next.

  13. On the Geographical Information page, in Country/Region, select your country or region from the list. In State/province name and City/locality, type the applicable names without using abbreviations, and then click Next.

  14. On the Certificate Request File Name page, provide a name for the certificate request file that you are about to create. This file will contain all the information that you included in this procedure, as well as the public key for your site. This creates a .txt file when the procedure steps are completed. The default name for the file is Certreq.txt. Click Next.

  15. On the Request File Summary page, verify that all of the information is correct, and then click Next.

  16. On the Completing the Web Server Certificate Wizard page, click Finish.

  17. Submit the request file to a commercial certification authority (CA) according to the instructions provided by the CA. The CA will generate a certificate response file, which contains your public key and which is digitally signed by the commercial CA. You use this response file to install the certificate.

Note

  • To submit your request file to the commercial CA, you need access to the CA's Web site. We recommend that you copy the request file from the Web server to a computer that has access to the Internet, and then submit it to the CA according to the CA's instructions.

  • Alternatively, you can allow connectivity from your Web server to the commercial CA by creating a Forefront TMG access rule on the protocols used by the CA. The access rule should be as specific as possible. For example, if you require access on the HTTP protocol, create an allow rule from a computer set containing only the Web server, to a URL set containing only the CA's Web site, and allow only HTTP traffic.

  • After you successfully complete this procedure, the next task is to install the certificate on your Web server. For instructions, see Installing a certificate from a commercial certification authority.

Concepts

Configuring server certificates for secure Web publishing