Deploying the HTTPS inspection trusted root CA certificate to client computers

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to import the HTTPS inspection trusted root certification authority (CA) certificate to client computers. When implementing HTTPS inspection in your organization, this certificate must be installed on each client computer.

There are two methods by which you can import the HTTPS inspection trusted root CA certificate to client computers:

  • Automatically through Active Directory Domain Services (AD DS)—Automatic deployment using AD DS is the recommended method, because the certificate is stored in a secured location, and it saves administrators the overhead of manual deployment.

    Note

    Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment.

  • Manually on each client computer—If you are not using AD DS, the certificate must be installed manually on each client computer, and it must be placed in the local computer certificate store.

Note

This topic describes how to deploy or import the HTTPS inspection trusted root CA certificate to client computers that use Internet Explorer to access HTTPS sites. To configure other Web browsers to trust the certificate, refer to the Web browser's documentation.

The following procedures describe:

  • Deploying the certificate automatically

  • Removing an automatically deployed certificate

  • Deploying the CA certificate manually

Deploying the certificate automatically

To deploy the certificate using AD DS

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy.

  3. On the Certificate Deployment Preferences page, in the Domain administrator username box, enter the name in the format Domain\Username.

    Note

    The credentials you enter must have sufficient privileges to update AD DS, and allow for running processes on Forefront TMG.

  4. Continue advancing through the wizard, and click Finish at the end. On the Apply Changes bar, click Apply. No further configuration is necessary; the certificate is forwarded to Active Directory and deployed to client computers automatically.

    Important

    • Deployment to client computers occurs after the group policy is applied, and can take up to eight hours.

    • Until client computers receive the certificate, accessing HTTPS Web sites will generate a warning message in Internet Explorer. To prevent this, it is recommended that you temporarily disable HTTPS inspection. You can do this by clicking Configure HTTPS Inspection in the Tasks pane of the Web Access Policy node, and then clearing the check box Enable HTTPS inspection. When deployment has finished, re-enable HTTPS inspection.

Removing an automatically deployed certificate

If it becomes necessary to remove a certificate that was deployed automatically to client computers, you can do so by running the following command:

certutil.exe –dc <Domain Controller> -dsdel <Subject_Name>

<Subject_Name> refers to the subject name of the HTTPS inspection certificate.

Note

  • The credentials you enter must have sufficient privileges to update AD DS, and allow for running processes on Forefront TMG.

  • Deployment to client computers occurs after the group policy is applied, and can take up to eight hours.

Deploying the CA certificate manually

The manual deployment of the HTTPS inspection trusted root CA certificate requires two actions:

  1. Exporting the certificate from Forefront TMG.

  2. Importing the certificate to each client computer.

To export the certificate

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy, and then follow the instructions in the wizard.

  3. On the Certificate Deployment Preferences page, select I will manually export and deploy the certificate, type a file name and location, and then click Next.

  4. Continue advancing through the wizard, and then click Finish.

The following operation requires administrative rights on the client computer.

To manually import the certificate to a client computer

  1. On the client computer, click Start, click All Programs, click Accessories, and then click Run.

  2. Type MMC, and then press ENTER.

  3. In the Microsoft Management Console, click the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  4. On the Certificates snap-in dialog box, select Computer Account, and then click Next. In the Add or Remove Snap-ins window, click OK. The Add or Remove Snap-ins window closes.

  5. In the Select Computer window, ensure that Local computer is selected, and then click Finish.

  6. In the Microsoft Management Console, in the Logical Store Name pane, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import.

  7. In the Certificate Import Wizard, browse to the file that you previously created when you exported the certificate, and then click Next.

  8. On the Certificate Store page, make sure that all certificates are placed in the Trusted Root Certification Authorities certificate store, click Next, and then click Finish.

Next Steps

Configuring the certificate validation policy

Concepts

Configuring HTTPS inspection
Planning for HTTPS inspection