With the new certificate loaded on the Ubuntu server, the next step for this particular configuration is to transfer the certificate over the the ForeFront server that front ends the web servers in my environment. We again start off with a SSH session and the friendly vi editor.
We will want to export the information into the PKCS12 format that forefront will require. To do this, we need both the properly signed certificate and the private key. Looking at the available arguments for the openssl pkcs12 command, we will want the use the following parameters:
- This indicates an export of the keys
- This identifies the private key for the certificate
- This is the properly signed certificate
- This is the output file in the *.p12 format
Putting it all together creates the prompt below. Additionally from the screenshot, the command is requesting the existing private key password as well as a new password to encrypt the output file.
openssl pkcs12 -export -inkey blog.destephen.com.key -in blog.destephen.com.crt -out blog.destephen.com.p12
With the files transferred over the the ForeFront system, we need to add the gd_bundler.crt to Windows. Simply right click on the certificate, then select “Install Certificate”. You will want to specify the Intermediate Certificate Authority store for the certificate. We will then install are PKCS12 certificate in the same manner into the Personal Certificate store.
Opening the Forefront TMG management window, we will browse to the Firewall Policies. Clicking on the policy for https://blog.destephen.com, we will modify the listener for https. As you can see from the screenshot, this listener also handles mail.destephen.com as well. Once the ForeFront Firewall Policy Listener tab is open, click on Properties.
We will want to select the Certificates tab of the properties window. Then click on “Select Certificates”.
Finally, click on the newly added, properly signed certificate.
NOTE: If you are getting to this step and your certificate visible, verify that the certificate is in the proper certificate store within Windows. If the certificate is visible, but has a red icon, verify that your private key was properly incorporated into the file exported from Ubuntu.
After selecting the proper certificate save and apply the changes. Once the ForeFront services restart, your new certificate will be active. You may have to clear your cache or test with a different browser for the certificate to be updated.