Server authentication certificates for authentication are required by Lightweight Directory Access Protocol (over SSL) - (LDAPS), which is the protocol used for communication between the configuration storage server and the Forefront TMG servers in a workgroup deployment.

The certificate must be installed as a personal certificate of the ADAM_ISASTGCTRL service on the configuration storage server. The certificate must be installed during or after Forefront TMG installation. The certificate subject must be the FQDN of the configuration storage server in order for the certificate to be accepted by the other Forefront TMG servers. After installing the certificate on the configuration storage server, the CA certificate must be installed on the other servers in the ‘Local Computer’ certificates store under ‘Trusted Root Certification Authorities’. You can create a certificate using your own CA, or obtain a certificate from a global CA. When the certificates are for internal use, it is recommended that you create a local CA, negating the need to purchase a commercial certificate.

The following procedures describe how to create a server certificate and how to export it.

Creating a server certificate

To create a server certificate

  1. On the CA computer, browse to: http://localhost/certsrv.

  2. Click Request a certificate.

  3. Select Advanced Certificate Request.

  4. Select Create and submit a request to this CA.

  5. Under Name, provide a name for the certificate. To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the server name. In common name, type the fully qualified host name for the configuration storage server on which the certificate will be installed, such as server01.east.fabrikam.com.

  6. Complete the form and select Server Authentication Certificate from the Type drop-down list.

  7. Select Mark keys as exportable.

  8. Select Store Certificate in the local computer certificate store or Use local machine store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

  9. Click your request and choose Install this certificate.

Exporting the server certificate

To export the server certificate

  1. From the Start menu, click Run. Type MMC, and then click OK.

  2. In MMC, click File, and then click Add/Remove Snap-in.

  3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certificates, and then click Add.

  4. In Certificates snap-in, select Computer account, and then click Next. In Select Computer, verify that Local computer (the default) is selected, and then click Finish. Click Close, and then click OK.

  5. In the MMC console, expand Certificates (Local Computer), expand Personal, and click Certificates.

  6. In the details pane, right-click the certificate you just created (it shows the fully qualified domain name (FQDN) of the configuration storage server), point to AllTasks, and select Export.

  7. On the Welcome page of the Certificate Export Wizard, click Next.

  8. On the Export Private Key page, select Yes, export the private key, and then click Next.

  9. On the Export File Format page, select Include all certificates in the certification path if possible, leave the other default settings, and then click Next.

  10. On the Password page, you may provide and confirm a password, and then click Next.

  11. On the File to Export page, click Browse, and browse to a location where you want to store the exported certificate file. This can be any location from which the file can be easily retrieved by Forefront TMG installation when installing Forefront TMG services which includes the configuration storage server. Click Next.

  12. On the summary page, click Finish.

  13. Close MMC. Save the console settings with a descriptive name, such as LocalCertificates.

Related Topics


Copyright © 2009 by Microsoft Corporation. All rights reserved.