EssentialSSL Certificate Installation: Microsoft ISA 2000

May 25, 2018 in SMTP and SHA 1

You will be receiving the following five files from Sectigo:

  • Root AddTrustExternalCARoot.crt
  • Intermediate CA UTNAddTrustSGCCA.crt
  • Intermediate CA SectigoUTNSGCCA.crt
  • Intermediate CA EssentialSSLCA.crt
  • domain/site certificate yourdomainname.crt

Or click to download the EssentialSSLCA files
Please also refer to the Microsoft website for details Installation Instructions for Microsoft ISA 2000 Server

How to setup Internet Security and Acceleration Server to Host Web Sites by using the Secure Sockets Layer (SSL) Protocol.

This information applies to: Microsoft Internet Security and Acceleration Server 2000

  • You must first export the SSL certificate of the Web site with the associated Private Key. If you do not have this key, ISA server will not allow you to use this certificate for SSL:
  • Open a blank Microsoft Management Console (MMC).
  • Add the Certificates snap-in.
  • When requested, select the options for 'Computer Account' and 'Local Computer'.
  • Expand Personal, and then expand Certificates. You should see a certificate with the name of your Web site in the 'Issued To' column.
  • Right-click on the certificate, select All Tasks, and then select Export.
  • On the Export window, click Next.
  • Click Yes, ensure you select 'export the private key', and then click Next.

note: If you do not have the option to export the Private key then the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.

  • Select the option for 'Personal Information Exchange', and then click to select the appropriate check boxes for all three sub-options.
  • Assign a password and confirm it.
  • Assign a file name and location.
  • Click Finish.

note: Ensure that you keep the file safe the SSL protocol depends upon this file.

  • Copy the file that you created to ISA Server.
  • On the ISA Server, open the MMC:
  • Add the Certificate snap-in, as previously instructed.
  • Click the Personal folder.
  • Right-click All Tasks, and then click Import.
  • Click Next on the Import Wizard.
  • Ensure that your file is listed, and then click Next.
  • Enter the password for the file (created earlier).
  • On the sub-option, click to select the 'Mark the private key as exportable' check box.
  • Leave the import setting on 'Automatically', and then click Next. Click Finish.

Now you will need to import the root and intermediate certificates.

  • Click the Start Button then select Run and type mmc
  • Click File and select Add/Remove Snap in
  • Select Add, select Certificates from the Add Standalone Snap-in box and click Add
  • Select Computer Account and click Finish
  • Close the Add Standalone Snap-in box, click OK in the Add/Remove Snap in
  • Return to the MMC

To install the Root Certificate AddTrustExternalCARoot.crt supplied in the zip file:

  • Right click the Trusted Root Certification Authorities, select All Tasks, and select Import.
  • Click Next.
  • Locate the Root Certificate(AddTrustExternalCARoot.crt) and click Next.
  • When the wizard is completed, click Finish.

To install the Intermediate CA Certificate UTNAddTrustSGCCA.crt, SectigoUTNSGCCA.crt and EssentialSSLCA.crt:

  • Right click the Intermediate Certification Authorities, select All Tasks, and select Import.
  • Complete the import wizard again, but this time selecting the UTNAddTrustSGCCA.crt when prompted for the Certificate file.
  • Once you have installed the UTNAddTrustSGCCA.crt repeat the above process to install the SectigoUTNSGCCA.crt and EssentialSSLCA.crt

Ensure that the Root certificate(AddTrustExternalCARoot.crt) appears under Trusted Root Certification Authorities
Ensure that the intermediate certificates(UTNAddTrustSGCCA.crt,SectigoUTNSGCCA.crt and EssentialSSLCA.crt) appears under Intermediate Certification Authorities

Important: You must now restart the computer to complete the install.

  • Under the Personal folder, when a subfolder called 'Certificates' is displayed, click Certificates and verify that there is a certificate with the name of the Web computer.
  • Right-click the certificate and then click Properties.
  • If the 'Intended Purposes' field of the certificate is set to 'All' rather than a list of specific purposes, the following steps must be followed before the certificate can be recognized by ISA Server:
  • In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate.
  • Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all of the items, and then click Apply.
  • Open the ISA Manager and complete the SSL install:
  • Right-click the server accepting the incoming connection, and click Properties.
  • Click the Incoming Web Requests tab.
  • Click the Internet Protocol (IP) address entry for the site that you are going to host, or the 'all IP addresses' entry if you do not have individual IP addresses set up.
  • Click Edit.
  • Click to select the Use a server certificate to authenticate to web users check box.
  • Click Select.
  • Select your previously imported certificate.
  • Click OK.
  • Click to select the Enable SSL listeners check box.
  • Expand the 'Publishing' folder and click on Web Publishing Rules.
  • Double click on the Web Publishing Rule that will route the SSL traffic.
  • On the Bridging tab, choose the option to Redirect SSL requests as: 'HTTP requests (terminate the secure channel at the proxy)'. Click OK.

Restart ISA Server. (note this means a reboot of the server itself not a service restart)

Installing the Root and Intermediate Certificates

If you have any problems with the installation of your certificate on IIS 5/6, check you have installed the root and intermediate certificates correctly, by following the instructions here.