This topic describes how to import the HTTPS inspection trusted root certification authority (CA) certificate to client computers. When implementing HTTPS inspection in your organization, this certificate must be installed on each client computer.

There are two methods by which you can import the HTTPS inspection trusted root CA certificate to client computers:

The following procedures describe:

Using Active Directory for automatic deployment

To deploy the certificate using Active Directory

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy.

  3. On the Certificate Deployment Preferences page, in the Domain administrator username box, enter the name in the format Domain\Username..

    Note:
    The credentials you enter must have sufficient privileges to update Active Directory Domain Services, and allow for running processes on Forefront TMG.
  4. Continue advancing through the wizard, and click Finish at the end. On the Apply Changes bar, click Apply. No further configuration is necessary; the certificate is forwarded to Active Directory and deployed to client computers automatically.

    Important:
    • Deployment to client computers occurs after the group policy is applied, and can take up to eight hours.

    • Until client computers receive the certificate, accessing HTTPS Web sites will generate a warning message in Internet Explorer. To prevent this, it is recommended that you temporarily disable HTTPS inspection. You can do this by clicking Configure HTTPS Inspection in the Tasks pane of the Web Access Policy node, and then clearing the check box Enable HTTPS inspection. When deployment has finished, re-enable HTTPS inspection.

Deploying the CA certificate manually

The manual deployment of the HTTPS inspection trusted root CA certificate requires two actions:

  1. Exporting the certificate from Forefront TMG.

  2. Importing the certificate to each client computer.

To export the certificate

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy, and then follow the instructions in the wizard.

  3. On the Certificate Deployment Preferences page, select I will manually export and deploy the certificate, type a file name and location, and then click Next.

  4. Continue advancing through the wizard, and then click Finish.

The following operation requires administrative rights on the client computer.

To manually import the certificate to a client computer

  1. On the client computer, click Start, click All Programs, click Accessories, and then click Run.

  2. Type MMC, and then press ENTER.

  3. In the Microsoft Management Console, click the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  4. On the Certificates snap-in dialog box, select Computer Account, and then click Next. In the Add or Remove Snap-ins window, click OK. The Add or Remove Snap-ins window closes.

  5. In the Select Computer window, ensure that Local computer is selected, and then click Finish.

  6. In the Microsoft Management Console, in the Logical Store Name pane, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import.

  7. In the Certificate Import Wizard, browse to the file that you previously created when you exported the certificate, and then click Next.

  8. On the Certificate Store page, make sure that all certificates are placed in the Trusted Root Certification Authorities certificate store, click Next, and then click Finish.

Next Steps

Related Topics


Copyright © 2009 by Microsoft Corporation. All rights reserved.
[an error occurred while processing this directive]