locked
Certificate for DA replacement/renewal process RRS feed

  • Question

  • Hello!

    Validity of the certificate fo da.domain.com (and of course also for nls.domain.com) is about to expire, and I am not able to find out any satisfactory guidance for the certificate replacement. Is there a formal process? Is certificate replacement in computer's certificate store really enough? 

    The interim "safe" plan could look like this:

    1 / (NLS)
    - Backup the old certificate, installing new change to the IIS
    2 / (UAG)
    - Backup DA GPO on DC
    - Backup the old certificate
    - ? Deleting a certificate with netsh? (as described on articles below)
    - Installation of a new certificate
    - Configure the new DA certified by
    - Unapplied policy (containing just the name no hash)
    - Delete the old certificate
    - Activate the configuration, verfiy DA availability

    Interesting reading:
    http://itbloggen.se/cs/blogs/hasain/archive/2010/09/15/changing-the-iphttps-tunnel-certificate-in-directaccess.aspx
    http://technet.microsoft.com/en-us/library/ee731901(v=ws.10).aspx
    http://www.forefrontblog.nl/2011/06/24/da-0x103-usable-certificates/
    http://blogs.technet.com/b/tugait/archive/2011/06/29/installing-direct-access-in-tmg-machine-broke-ssl-publishing-rules.aspx

    Thanks in advance for any ideas. 

    Reagards,
    Jan 
    Monday, November 12, 2012 3:47 PM

Answers

  • Hi,

    For NLS certificate, justr consider that it's a classic HTTPS web site certificate renewval. As long as your clients can check certofocate validity you are OK with NLS. Just request a new certificate from your internal AC, install the certificate, change ssl binding, restart NLS and check if it's OK. If not you still have the previous certificate in the computer certificate store to restore the original HTTPS binding.

    For IPHTTPS, it's a little must more complicated. The certificate binding must be updated into HTTPS.SYS. DirectAccess wizard will do that for you. Just install a new certificate delivered from your public AC provider (choose a different friendly name to recognize it) and run the wizard. New GPO will be created but FQDN does not change, so there si no problem.

    And at last for the UAG DA certificate, computer certificate enrollment is done for the job. There is a renew option using the same private key. Process will work except if your forget to reconfigure RPC enforcement in TMG as documented here on Tom Shinder blog :

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/04/22/deep-dive-into-uag-directaccess-certificate-enrollment.aspx

    Even if your clients computers applies a new version of the DirectAccess client-side GPO, only information included inside is FQDN. If you do not change IPHTTPS FQDN, there will be no problem.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Jan Zak Tuesday, November 13, 2012 4:58 PM
    Monday, November 12, 2012 10:01 PM
  • Here is my experience in the field (key point being - do not delete any certificate until the swing is complete):

    Machine certs - These typically auto-renew and you don't have to do anything with them. The only time I have had to manually replace a machine cert on the UAG server is if TMG is blocking RPC access to the CA server, in which case you probably wouldn't have been able to get the cert there in the first place so this is pretty rare.

    NLS - As Benoit said, this is a simple HTTPS website. You can import a new certificate and change over to it in IIS, that's all you have to do.

    IP-HTTPS - Simply import the new certificate into the certificate store, and then re-run through the DirectAccess wizards to choose the new certificate (yes you can leave the old one there, forever if you want). After running through the wizards you must go through the UAG activation process, of course. You can confirm that the new certificate is in place by browsing to https://iphttpsurl.company.com:443/IPHTTPS from an outside computer and viewing the cert properties, to make sure you see the new expiration date. Once confirmed, then you can go back and delete the old cert if you would like.

    If you delete the old cert before moving to the new one, you will be breaking DirectAccess for some users, at least temporarily. Also, the wizard doesn't appreciate you jacking the cert out from under its feet, and can complain about it by getting sluggish.

    • Marked as answer by Jan Zak Tuesday, November 13, 2012 4:58 PM
    Tuesday, November 13, 2012 4:42 PM

All replies

  • Hi,

    For NLS certificate, justr consider that it's a classic HTTPS web site certificate renewval. As long as your clients can check certofocate validity you are OK with NLS. Just request a new certificate from your internal AC, install the certificate, change ssl binding, restart NLS and check if it's OK. If not you still have the previous certificate in the computer certificate store to restore the original HTTPS binding.

    For IPHTTPS, it's a little must more complicated. The certificate binding must be updated into HTTPS.SYS. DirectAccess wizard will do that for you. Just install a new certificate delivered from your public AC provider (choose a different friendly name to recognize it) and run the wizard. New GPO will be created but FQDN does not change, so there si no problem.

    And at last for the UAG DA certificate, computer certificate enrollment is done for the job. There is a renew option using the same private key. Process will work except if your forget to reconfigure RPC enforcement in TMG as documented here on Tom Shinder blog :

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/04/22/deep-dive-into-uag-directaccess-certificate-enrollment.aspx

    Even if your clients computers applies a new version of the DirectAccess client-side GPO, only information included inside is FQDN. If you do not change IPHTTPS FQDN, there will be no problem.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Jan Zak Tuesday, November 13, 2012 4:58 PM
    Monday, November 12, 2012 10:01 PM
  • Here is my experience in the field (key point being - do not delete any certificate until the swing is complete):

    Machine certs - These typically auto-renew and you don't have to do anything with them. The only time I have had to manually replace a machine cert on the UAG server is if TMG is blocking RPC access to the CA server, in which case you probably wouldn't have been able to get the cert there in the first place so this is pretty rare.

    NLS - As Benoit said, this is a simple HTTPS website. You can import a new certificate and change over to it in IIS, that's all you have to do.

    IP-HTTPS - Simply import the new certificate into the certificate store, and then re-run through the DirectAccess wizards to choose the new certificate (yes you can leave the old one there, forever if you want). After running through the wizards you must go through the UAG activation process, of course. You can confirm that the new certificate is in place by browsing to https://iphttpsurl.company.com:443/IPHTTPS from an outside computer and viewing the cert properties, to make sure you see the new expiration date. Once confirmed, then you can go back and delete the old cert if you would like.

    If you delete the old cert before moving to the new one, you will be breaking DirectAccess for some users, at least temporarily. Also, the wizard doesn't appreciate you jacking the cert out from under its feet, and can complain about it by getting sluggish.

    • Marked as answer by Jan Zak Tuesday, November 13, 2012 4:58 PM
    Tuesday, November 13, 2012 4:42 PM
  • Thanks to you both, I really appreciate your comments.
    We will not be able to re-enroll certificate directly from CA this time, and we have to enroll certificate manually in advance. 

    Regards,
    Jan

    Tuesday, November 13, 2012 4:57 PM