Generating the HTTPS inspection certificate
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes how to generate the HTTPS inspection certificate that Forefront TMG uses for inspecting traffic to secure Web sites. When HTTPS inspection is enabled, Forefront TMG intercepts any request to access an HTTPS site by a client computer, and impersonates that Web site by generating a Secure Sockets Layer (SSL) certificate of that site as and when required. Forefront TMG uses the HTTPS inspection certificate in order to sign the newly created Web site certificate.
There are two methods by which you can generate an HTTPS inspection certificate:
Using Forefront TMG
Using a local certification authority (CA)
The following procedure describes how to generate the certificate using Forefront TMG. For information regarding generating the HTTPS inspection certificate using a local CA, see Requesting a certificate from a local certification authority.
When using a certificate generated by a local CA, the certificate must be trusted on the Forefront TMG computer.
For general information about HTTPS inspection, including information regarding the certificates necessary for implementation, see Planning for HTTPS inspection.
To generate the HTTPS inspection certificate
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure Web Access Policy, and then follow the instructions in the Web Access Policy Wizard.
On the HTTPS Inspection Settings page of the wizard, select Allow users to establish HTTPS connections to Web sites, and then select Inspect HTTPS traffic and validate HTTPS site certificates. Click Next.
On the HTTPS Inspection Preferences page of the wizard, select one of the following:
Use a certificate automatically generated by Forefront TMG—This is the default option, suitable for most deployments.
Use a custom certificate—Choosing this option allows you to do one of the following:
Enter a custom name for the HTTPS inspection certificate and provide other details, such as an expiration date.
Import an existing certificate, which you may want to do if you have a local CA. If you use this option, make sure that the certificate you import is a Personal inFormation eXchange (.pfx) file and that the certificate's key usage is defined for Certificate Signing.
This option is located on the Select Certification Authority page which is accessed by first selecting Use a custom certificate.
Click Finish, and then on the Apply Changes bar, click Apply.
The HTTPS inspection certificate is stored to the configuration storage, and array members can begin using the HTTPS inspection certificate after synchronizing with the configuration storage.