Setting up a remote CA

Published: January 11, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to install the Microsoft Certification Authority on a remote server in order to provide privileged clients with certificates.

The following steps are required:

  1. Installing the trusted root certificate

  2. Updating the certificate trust list (CTL)

  3. Backing up the certificate settings

If you are using a remote CA, import your server certificate into the Trusted Root Certification Authorities certificate store on the Forefront UAG server to indicate that the CA that issues the certificate is trusted.

The Certificate Trust List (CTL) is a signed list of CA certificates that have been judged reputable by the administrator. In order to use a CA, you must notify Forefront UAG that you trust the CA by adding it to the CTL for the portal Web site, as follows.

To add a CA to the CTL

  1. On the Windows desktop, click Start, point to Programs, click Administrative Tools, and then click Internet Information Services. The Internet Information Services (IIS) Manager window is displayed.

  2. Right-click the portal, and then click Properties. The portal Properties dialog box is displayed.

  3. Click the Directory Security tab.

  4. In the Secure communications area, click Edit. The Secure Communications dialog box is displayed.

  5. Select Enable certificate trust list, and then click New. The Welcome to the Certificate Trust List Wizard page is displayed.

  6. Click Next. The Certificates in the CTL page of the Certificate Trust List Wizard is displayed.

  7. Click Add from Store. The Select Certificate dialog box is displayed.

  8. Select the certificate you want to use, and then click OK. The Certificates in the CTL page of the Certificate Trust List Wizard is displayed with the certificate you selected.

  9. Click Next. The Name and Description page of the Certificate Trust List Wizard is displayed.

  10. Enter a name and description for the new Certificate Trust List, and then click Next. The Completing the Certificate Trust List Wizard page of the Certificate Trust List Wizard is displayed with a summary of your settings.

  11. Click Finish. The certification authority is added to the Certificate Trust List. The configuration process is completed. End users can proceed to make their computers certified endpoints.

Make sure that you have a backup of the private key. If not, create backup files via the certificate store. After the initial backup, make sure that you back up the certificate settings periodically, especially before any upgrade or installation, or before you make any other changes to system settings. For instructions on how to back up the certificate, see SSL Digital Certificate Technical Support (