Expiring Certificate in Threat Management Gateway workgroup configuration


  • Can someone point me to documentation on how to renew a expiring certificate in a Threat Management Gateway in an workgroup configuration.   The certificate is tied to the ISASTGCTL service.

    Thanks in advanced.

    venerdì 3 maggio 2013 13:56

Tutte le risposte

  • Hi,

    you can use the ISACERTTOOL to renew the certificate on the TMG Server:

    regards Marc Grote aka Jens Baier - - -

    domenica 5 maggio 2013 18:01
  • Hi Marc,

    My client does not allow to use  ISACERTTOOL on their production environment . Is there any other way to renew server certificate on TMG forefront servers in workgroup deployment.

    I have 2 load balanced (NLB) TMG servers (one primary and other secondary node). Please share the steps that how to renew the expiring certificate on both of these servers. 

    Can a single certificate e.g server01.workgroupname.local which is issue by internal CA (with the same workgroup) can be installed on both the TMG servers or do i need to issue 2 different certificates for both the servers and then install them individually.

    your quick response is much appreciated. 



    mercoledì 14 maggio 2014 11:07
  • You need to manually install the certificate then.

    See for install instructions and for creating the certificates.

    You need one server cert for each array member issued to the fqdn of the member it is supposed be installed on. You also need to make sure that root and enterprise (if applicable) ca are installed on all array members.

    Hth, Anders Janson Enfo Zipper

    mercoledì 14 maggio 2014 11:54
  • Thanks a Lot Anders but I could not understand "one server cert for each array member issued to the fqdn of the member" . Does it mean

    1 . different certificate for each array member (i.e server01.workgroup.local for server01 and server02.workgroup.local for server02)?    


    2. Single server certificate (server01.workgroup.local) for both the servers. server01 in the primary member of the array.

    I am asking this because at present I can see that there is same server certificate present (i,e server01.workgroup.local) on both the servers under ADAM_ISASTGCTRL\personal certificate store.

    could you please throw some light on it.

    Thanks and regards


    mercoledì 14 maggio 2014 12:26
  • Option 1

    Hth, Anders Janson Enfo Zipper

    giovedì 15 maggio 2014 12:56
  • Thanks a Lot Anders.. :-)

    mercoledì 21 maggio 2014 10:17