Listing Available Certificates

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server enables the use of digital certificates for Web publishing rules, server publishing rules, and site-to-site virtual private network (VPN) connections. In some scenarios, the digital certificates required are Secure Sockets Layer (SSL) certificates that are installed on the local ISA Server computer.

Certificates are issued by a certification authority. A certificate is trusted by a computer when the root certificate of the certification authority that issued it and the intermediate certificates in its certification path are installed on the local computer.

The certificates that are used by ISA Server are stored in the following certificate stores on the local ISA Server computer:

  • Personal store for the local computer
  • Personal store for the current user
  • Personal store for the Microsoft Firewall service (the fwsrv\Personal store)
  • Trusted Root Certification Authorities store for the local computer
  • Intermediate Certification Authorities store for the local computer

When a client sends a Web request to a Web server that is securely published by ISA Server, the ISA Server computer receiving the request must prove to the client that it is the host computer requested by the client. To do this, the ISA Server computer presents an SSL server certificate with a name that matches the host name in the client request. The SSL server certificates that your ISA Server computer uses for authentication to clients must be present in the Personal store for the local computer and must have the corresponding private key. In particular, a secure Web publishing rule cannot be created when no SSL server certificate is available in the Personal store for the local computer. The SSL server certificate that is to be presented in response to client requests sent to the SSL port configured in the properties of the Web listener associated with a Web publishing rule is specified on the Certificates tab of the Web listener. The certificates that are listed on the Select Certificate page opened from the Certificates tab of a Web listener include all the SSL server and client certificates in the Personal stores for the local computer, current user, and Firewall service. Only valid SSL server certificates from this list that are installed in the Personal store for the local computer can be assigned to the Web listener.

The SSL server certificate assigned to the Web listener associated with a Web publishing rule is used to prove the identity of the ISA Server computer to clients that connect to the Web listener through the SSL port. This certificate must be present in the Personal store for the local computer, and the name to which it was issued must be identical to the public name (or the first of the public names) of the published Web server in the Web publishing rule or must contain a wildcard character (*) and match all the public names. A public name is the fully qualified host name or URL that external clients use to access the Web site (for example, news.contoso.com). The public name is the name (or the first of the names) specified on the Public Name tab of the Web publishing rule. If the name on the certificate does not match the public name, Web clients will receive an error page with the following message: "500 Internal Server Error - The target principal name is incorrect."

When a Web publishing rule requires an SSL connection between the ISA Server computer and the Web server with authentication of the ISA Server computer by the published Web server in addition to the authentication of the published Web server by the ISA Server computer, the ISA Server computer must present an SSL client certificate to the published server. This SSL client certificate is specified on the Bridging tab of the Web publishing rule by selecting Use a certificate to authenticate to the SSL Web server and clicking Select. This certificate is used to authenticate the ISA Server computer to the published Web server and must be present in the Personal store for the Microsoft Firewall service (the fwsrv\Personal store).

A remote site network may be configured to connect to the local ISA Server computer by site-to-site VPN connections using Internet Protocol security (IPsec). A remote site network that establishes site-to-site VPN connections using IPsec may be configured to require the local VPN server to use certificate authentication to prove its identity to the remote VPN server. The local VPN server does this by presenting an IPsec certificate that was issued by the certification authority specified on the Authentication tab in the properties of the remote site network and whose Intended Purposes field contains "IP security IKE intermediate" or "Any." The root certificates of the possible certification authorities are displayed from the Authentication tab by selecting Use a certificate from this certificate authority (CA) and clicking Browse. These certificates are installed in the Trusted Root Certification Authorities store on the local computer. An IPsec certificate issued by the certification authority selected must be present in the Personal store for the local computer on the local VPN server.

If you need to specify a certificate for an ISA Server computer in ISA Server Management, it may be helpful to use a script in order to verify in advance whether a suitable certificate is available on the ISA Server computer.

A single certificate that is available to ISA Server is represented by an FPCCertificate ISA Server administration COM object, which is an element of an FPCCertificates collection. Information about several types of certificates that are available to ISA Server is held in FPCCertificates collections that can be accessed through several properties of the FPCServer object, which represents a single ISA Server computer. The following table summarizes the types of certificates for which information is held in the FPCCertificates collections that can be accessed through properties of an FPCServer object.

Property Certificates

SSLServerCertificates

SSL server certificates in the Personal store for the local computer

SSLAllServerCertificates

SSL server and client certificates in the Personal stores for the local computer, current user, and Firewall service

SSLClientCertificates

SSL client certificates in the Personal store for the Firewall service (the fwsrv\Personal store)

IntermediateCertificates

Certificates in the Intermediate Certification Authorities store for the local computer

TrustedRootCertificates

Certificates in the Trusted Root Certification Authorities store for the local computer

Listing certificates on the local ISA Server computer

The Microsoft Visual Basic® Scripting Edition (VBScript) code in ListAvailableCertificates.vbs (listed later in this document) retrieves the collection of certificates of the type specified by the user, and then displays information about each certificate in the collection. In all cases, these certificates are installed on the local ISA Server computer anre are available to ISA Server. This script, as presented, must be run on an ISA Server 2006 computer with the Microsoft Firewall service installed, but it can be modified to run on a remote management computer.

To use this script, paste the code in the script listing into a text editor, save it in a file named ListAvailableCertificates.vbs, and run it from a command prompt.

Usage:

CScript ListAvailableCertificates.vbs Type

Type specifies the type of certificates collection to retrieve.

To list the certificates installed on the local ISA Server computer

  1. Create an instance of the FPC COM object, which is known as the root object and provides access to the other ISA Server administration COM objects.

  2. Declare an FPCServer object, an FPCCertificates collection, and an FPCCertificate object.

  3. Call GetContainingServer on the root object to get a reference to the FPCServer object for the local computer.

  4. Get a reference to the FPCCertificates collection containing the certificates of the type specified by the user from the corresponding property of the FPCServer object for the local computer.

  5. If the collection contains at least one FPCCertificate object, iterate through the collection and display the following information.

    • The name of the computer retrieved from the IssuedTo property.
    • The name of the certification authority retrieved from the IssuedBy property.
    • The date and time retrieved from the ValidFromDate property, which indicates the date and time when the certificate becomes valid.
    • The date and time retrieved from the ExpirationDate property, which indicates the date and time when the certificate expires.
    • A message based on the value of the IsPrivateKeyValid property.

Script listing: ListAvailableCertificates.vbs

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE
' ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE
' REMAINS WITH THE USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR
' WITHOUT MODIFICATION, IS HEREBY PERMITTED.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script retrieves the user-specified collection of certificates
' that are stored on the local computer and are available to ISA
' Server. The script then iterates through the collection and displays
' several properties of each certificate.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit

' Define the constants needed.
Const fpcLocalMachinePersonalStore = 0
Const fpcFirewallServicePersonalStore = 1
Const fpcCurrentUserPersonalStore = 2
 
Main(WScript.Arguments)

Sub Main(args)
    If(args.Count <> 1) Then
        Usage()
    Else
       ListCertificates UCase(args(0))
    End If
End Sub

Sub ListCertificates(storeType)

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    ' Declare the other objects needed.
    Dim server        ' An FPCServer object
    Dim certificates  ' An FPCCertificates collection
    Dim certificate   ' An FPCCertificate object

    ' Get references to the server object 
    ' and the applicable certificates collections.
    Set server = root.GetContainingServer()
    Select Case storeType
        Case "SERVER"
            Set certificates = server.SSLServerCertificates
            WScript.Echo "SSL server certificates in the Personal " _
                & "store for the local computer:" & vbCrLf
        Case "ALLSSL"
            Set certificates = server.SSLAllServerCertificates
            WScript.Echo "SSL server and client certificates in the " _
                & "Personal stores for the local computer, " & vbCrLf _
                & "current user, and Firewall service:" & vbCrLf
        Case "CLIENT"
            Set certificates = server.SSLClientCertificates
            WScript.Echo "SSL client certificates in the Personal " _
                & "store for the Firewall service (the " & vbCrLf _
                & "fwsrv\Personal store):" & vbCrLf
        Case "INT"
            Set certificates = server.IntermediateCertificates
            WScript.Echo "Certificates in the Intermediate " & _
                "Certification Authorities store:" & vbCrLf
        Case "ROOT"
            Set certificates = server.TrustedRootCertificates
            WScript.Echo "Certificates in the Trusted Root " & _
                "Certification Authorities store:" & vbCrLf
        Case Else:
            Usage()
    End Select

    ' Retrieve the stored data for the certificates collection.
    certificates.refresh

    'Display some properties of each certificate.
    If certificates.Count = 0 Then
        WScript.Echo "No certificates were found."
    End If
    For Each certificate In certificates
        WScript.Echo "Certificate name: " & certificate.FriendlyName 
        WScript.Echo "Issued to: " & certificate.IssuedTo 
        WScript.Echo "Issued by: " & certificate.IssuedBy 
        WScript.Echo "Valid from: " & certificate.ValidFromDate
        WScript.Echo "Valid to: " & certificate.ExpirationDate
        If certificate.IsPrivateKeyValid = True Then
            WScript.Echo "Private key: valid"
        Else
            WScript.Echo "Private key: not present or invalid"
        End If
        If storeType = "ALLSSL" Then
            Select Case certificate.CertificateStore
                Case fpcLocalMachinePersonalStore
                    WScript.Echo "Store: Personal for local computer"
                Case fpcCurrentUserPersonalStore
                    WScript.Echo "Store: Personal for current user"
                Case fpcFirewallServicePersonalStore
                    WScript.Echo "Store: Personal for Firewall service"
            End Select
        End If
        WScript.Echo vbCrLf
    Next
End Sub 

Sub Usage()
    WScript.Echo "Usage:" & VbCrLf _
      & "  " & WScript.ScriptName & " Type" & VbCrLf _
      & VbCrLf _
      & "  Type  SERVER   SSL server certificates in the " & VbCrLf _
      & "                 Personal store for the local computer." _ 
      &                   VbCrLf _
      & "        ALLSSL   SSL certificates in the Personal " & VbCrLf _
      & "                 stores for the local computer, " & VbCrLf _
      & "                 local user, and Firewall service." & VbCrLf _
      & "        CLIENT   SSL client certificates." & VbCrLf _
      & "        INT      Intermediate CA certificates." & VbCrLf _
      & "        ROOT     Trusted Root CA certificates." 
    WScript.Quit
End Sub