Exporting Your SSL Certificate from IIS 6.0 and Importing To ISA Server 2004
Sometimes you want to take an SSL certificate that you already own that is installed on your web server and import it into the ISA firewall’s machine certificate store. This allows for encryption of outbound SSL from the ISA server to the published Web site in an SSL to SSL bridging scenario. One example is publishing your Outlook Web Access (OWA) site through your ISA firewall. This article guides you through the steps required to export your SSL certificate from you Internet Information Server (IIS) 6.0 Web site and import that certificate into the ISA firewall’s machine certificate store.
Before you begin you should make sure that you have the password for the certificate available. The password that I am referring to is the one you used when you created the certificate. Without this password you can not transfer the certificate
The first thing to do is export your key from your IIS 6.0 Server, Windows 2003 (the steps are very similar in Windows 2000, IIS 5.0, however the screen shots are from IIS 6.0) as a .pfx file. Here are the steps:
- Login into your Windows 2003, IIS 6.0 server as an Administrator
- Open the IIS Manager.
- Navigate to the web site that has the SSL certificate installed.
- Right click and choose Properties
- Find the Directory Security Tab and choose it.
- Click on the Server Certificate button near the bottom.
- A Certification Wizard will appear, Click Next to bypass the "Welcome Screen."
- Now you should see a wizard page like this:
- If you don't see this exact page, then you do not have your SSL certificate installed. Install your SSL certificate first then re-due these steps. Another reason you might not see this page is that you chose the wrong web site in step #3
- Choose "Export the current certificate to a .pfx file" from the radio buttons and press next.
- In the next wizard page, choose a file location and save your .pfx file.
Now we need to return to the ISA firewall and import the SSL certificate. We need to add the certificate to the machine certificate store; not a user certificate store and not a service certificate store. It must be added to the local machine certificate store.
- First thing to do is copy the saved file to the ISA firewall.
- From the Start Bar, choose Start, Run, then enter mmc and press ENTER.
- An empty Microsoft Management Console should appear.
- From the Menu Bar of MMC choose File then Add/Remove Snap In.
- The Add/Remove Snap-In dialog will appear, then press the Add… on the Standalone Tab.
- The Add Standalone Snap-in dialog will appear, choose Certificates from the Snap-In List and press Add.
- The Certificates snap-in wizard will appear choose Computer account and press Next.
- From the next wizard page choose Local Computer:
- Click Finish, Close, then OK, until you are back at the Microsoft Management Console Interface with the Certificates snap-in added.
- Expand the Certificates snap-in, the branch named Personal, and then the Certificates branch of Personal
- Right click on Certificates and choose All Tasks, then Import…
- The Certificate Import Wizard will appears, press Next to get past the Welcome page.
- The second page will ask for the .pfx file that you exported from IIS. Find the file and press "Next"
- On the next page enter your password for the certificate. This is the password you used when you created the certificate on your IIS server for the every first time. Note that in none of the steps above you provide a password -- this is because passwords are not provided on exportation, they are done on creation. If you have forgotten your password you need to completely rebuild the SSL certificate on your IIS box, reapply for another one from the certificate authority, apply the certificate they give you and export the new certificate -- following all the steps again.
- On the next wizard page, follow the defaults and choose "Place all certificates in the following store" and choose Next.
Press finish on the final page to complete the importation of your certificate.
Using the Certificate
Now that you have the certificate imported into the local certificate store of your ISA Server, you can use that certificate when publishing a web site or mail server.
Publishing Outlook Web Access (OWA) Sites using ISA Server 2004 Firewalls
By Thomas W Shinder M.D., MVP
For an example of using an SSL certificate to publish an Publishing Outlook Web Access (OWA) with SSL.