Deploying the HTTPS inspection trusted root CA certificate to client computers

This topic describes how to import the HTTPS inspection trusted root certification authority (CA) certificate to client computers. When implementing HTTPS inspection in your organization, this certificate must be installed on each client computer.

There are two methods by which you can import the HTTPS inspection trusted root CA certificate to client computers:

Automatically through Active Directory—Automatic deployment using Active Directory is the recommended method, because the certificate is stored in a secured location, and it saves administrators the overhead of manual deployment.

Note:

Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment.

Note:
Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment.

Manually on each client computer—If you are not using Active Directory, the certificate must be installed manually on each client computer, and it must be placed in the local computer certificate store.

Note:
This topic describes how to deploy or import the HTTPS inspection trusted root CA certificate to client computers that use Internet Explorer to access HTTPS sites. To configure other Web browsers to trust the certificate, refer to the Web browser's documentation.

The following procedures describe:

Using Active Directory for automatic deployment
Deploying the CA certificate manually

Using Active Directory for automatic deployment

To deploy the certificate using Active Directory

In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure Web Access Policy.
On the Certificate Deployment Preferences page, in the Domain administrator username box, enter the name in the format Domain\Username..

Note:

The credentials you enter must have sufficient privileges to update Active Directory Domain Services, and allow for running processes on Forefront TMG.

Note:
The credentials you enter must have sufficient privileges to update Active Directory Domain Services, and allow for running processes on Forefront TMG.

Continue advancing through the wizard, and click Finish at the end. On the Apply Changes bar, click Apply. No further configuration is necessary; the certificate is forwarded to Active Directory and deployed to client computers automatically.

Important:
Deployment to client computers occurs after the group policy is applied, and can take up to eight hours. Until client computers receive the certificate, accessing HTTPS Web sites will generate a warning message in Internet Explorer. To prevent this, it is recommended that you temporarily disable HTTPS inspection. You can do this by clicking Configure HTTPS Inspection in the Tasks pane of the Web Access Policy node, and then clearing the check box Enable HTTPS inspection. When deployment has finished, re-enable HTTPS inspection.

Important:

Deployment to client computers occurs after the group policy is applied, and can take up to eight hours.
Until client computers receive the certificate, accessing HTTPS Web sites will generate a warning message in Internet Explorer. To prevent this, it is recommended that you temporarily disable HTTPS inspection. You can do this by clicking Configure HTTPS Inspection in the Tasks pane of the Web Access Policy node, and then clearing the check box Enable HTTPS inspection. When deployment has finished, re-enable HTTPS inspection.

Deploying the CA certificate manually

The manual deployment of the HTTPS inspection trusted root CA certificate requires two actions:

Exporting the certificate from Forefront TMG.
Importing the certificate to each client computer.

To export the certificate

In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure Web Access Policy, and then follow the instructions in the wizard.
On the Certificate Deployment Preferences page, select I will manually export and deploy the certificate, type a file name and location, and then click Next.
Continue advancing through the wizard, and then click Finish.

The following operation requires administrative rights on the client computer.

To manually import the certificate to a client computer

On the client computer, click Start, click All Programs, click Accessories, and then click Run.
Type MMC, and then press ENTER.
In the Microsoft Management Console, click the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
On the Certificates snap-in dialog box, select Computer Account, and then click Next. In the Add or Remove Snap-ins window, click OK. The Add or Remove Snap-ins window closes.
In the Select Computer window, ensure that Local computer is selected, and then click Finish.
In the Microsoft Management Console, in the Logical Store Name pane, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import.
In the Certificate Import Wizard, browse to the file that you previously created when you exported the certificate, and then click Next.
On the Certificate Store page, make sure that all certificates are placed in the Trusted Root Certification Authorities certificate store, click Next, and then click Finish.

Next Steps

Configuring the certificate validation policy