See below the closing summary of the case we had about this issue.
The scripts works fine, tested it with a issued certificate from our own CA also works.
The problem is related to how we generate the certificate for HTTPS inspection. It must be issued using CNG API.
(Certificate New Generation v3)
PROBLEM
Web access from internal computers to remote HTTPS sites using HTTPS inspection feature fails with error 0x8009000a
RESOLUTION
Use the following script to generate a custom CNG certificate for HTTPS inspection:
-
Copy the following lines in a file with .ps1 extension:
#SCRIPT - Generate Self-signed CNG Certificates for Certificate signing purpose, This will be used by TMG Https Inpection
#AUTHOR - Microsoft Corporation
#VERSION - 1.0
#$ErrorActionPreference = "Stop"
Write-Host "`n WARNING: This script sample is provided AS-IS with no warranties and confers no rights." -ForegroundColor red
Write-Host "`n This script sample will generate self-signed CNG Authority certificate to be used by TMG HTTPS Inspection feature"
Write-Host " in the Local Computer Personal certificate store.`n Private is can be exported. As well the .cer and .pfx files will be save ini the provided directory`n`n"
$outputDir = Read-Host "`nEnter directory path where certificate will be saved"
$Subject = Read-Host "`nEnter the Subject for certificate "
$password = Read-Host -assecurestring "`nPfx password"
$ValidateDays = Read-Host "`nCertificate Validity days: (please enter number of days)"
#Generate cert in local computer My store
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$Subject", 0)
# The Key
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft Software Key Storage Provider" # CNG is Software Key Storage "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 0 # was 1 but 0 looks needed for CNG
http://msdn.microsoft.com/en-us/library/aa379409(VS.85).aspx
$key.keyUsage =0xfffff # Set the key usage to all usage
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
$key.Length = 2048
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" # Allow Write NT AUTHORITY\SYSTEM Allow
Write BUILTIN\Administrators Allow Write NT AUTHORITY\NETWORK SERVICE
$key.MachineContext = 1
$key.ExportPolicy = 1 # Allow private key to be exported XCN_NCRYPT_ALLOW_EXPORT_FLAG 0x00000001
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379002(v=vs.85).aspx
$key.Create()
Write-Host "`nPrivate Key created ......"
#The certificate itself
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" # Interface for self signed cert request
http://msdn.microsoft.com/en-us/library/windows/desktop/aa377124(v=vs.85).aspx
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$today =get-date
$cert.NotBefore = $today.AddDays(-1) # yesterday
$cert.NotAfter = $cert.NotBefore.AddDays($ValidateDays)
# Add Key usage to the certificate, this is needed as TMG chek this during certificate import
$KeyUsage = new-object -com "X509Enrollment.CX509ExtensionKeyUsage.1"
$Keyusage.InitializeEncode(0x4) #0x4 XCN_CERT_KEY_CERT_SIGN_KEY_USAGE
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
$cert.X509Extensions.Add($keyusage)
$cert.Encode()
Write-Host "`nCertificate created ......"
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
Write-Host "`nCNG self signed installed in the Computer certificate local store"
#Create the ".pfx" and ".cer" version by exporting the just inserted certificate
$store = new-object System.Security.Cryptography.X509Certificates.X509Store "My","LocalMachine"
$store.Open("ReadOnly")
$certs = $store.Certificates
$cerPath = $outputDir+ "\"+ $Subject+ ".cer"
$pfxPath = $outputDir + "\" + $Subject + ".pfx"
foreach ($cert in $certs)
{
# write-host $cert.Subject
if($cert.Subject -like ("CN="+ $Subject))
{
$ExportCert = $cert.Export(1) #http://msdn.microsoft.com/fr-fr/library/system.security.cryptography.x509certificates.x509certificate2.aspx
1=.cer 3=.fx
[System.IO.File]::WriteAllBytes(($cerPath),
$ExportCert)
Write-Host "`nCertificate .cer exported to: " $cerPath
$PFXStrData =$cert.Export(3,$password)
[System.IO.File]::WriteAllBytes($pfxPath, $PFXStrData)
Write-Host "`nCertificate with private Key .pfx exported to: " $pfxPath
}
}
$store.close()
#now Import it to Local computer Root store
$RootCert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $cerPath
$RootStore = new-object System.Security.Cryptography.X509Certificates.X509Store "Root","LocalMachine"
$RootStore.Open("ReadWrite")
$RootStore.Add($RootCert)
Write-Host "`nCertificate installed in Local computer - Trusted root"
$RootStore.close()
Write-Host "`nDone ... `n" -ForegroundColor Green
-
Open a Power Shell window and run the script. Follow the instructions.
-
The .cer and .pfx will be save in the folder of your choice. As well .cer will be installed in the local computer / trusted root.
-
Configure the HTTPS inspection to use this custom certificate. Follow the steps described in:
http://technet.microsoft.com/en-us/library/dd441053
Generating the HTTPS inspection certificate
-
Deploy the HTTPS inspection certificate in the client computers, just as you did for your current one. You could deploy it using both AD DS and manually. For
detailed description follow steps in:
http://technet.microsoft.com/en-us/library/dd441069
Deploying the HTTPS inspection trusted root CA certificate to client computers
Regards, Bas
