ISA Server 2006 Workgroup Deployment Certificate Renewal
One question that I hear with regularity is “how do I renew the machine certificate for my CSS?” when ISA Enterprise is configured in a workgroup. In the past I have recommended running a repair from the installation media, then specifying the new certificate when prompted by the installation wizard. Recently I asked my good friend Yuri Diogenes if there was a better or easier way to accomplish this. In an article he just published on the ‘Tales From The Edge’ community site, he recommended using the ISACertTool utility.
The ISACertTool can be downloaded from Microsoft here. Before running the ISACertTool, make sure that you have a valid server certificate available in an exported (.pfx) file. Also, be sure to place the root certificate of the issuing CA is in a location that is accessible to all array members before running the tool. Once you have downloaded and extracted the ISACertTool according to the documentation, open a command window and execute the following command:
isacerttool.exe /st filename /pswd password /keepcerts
/st filename installs the exported certificate on the CSS. filename specifies the path and name of the exported certificate file.
/pswd password specifies the password that may be required when installing the server certificate
/keepcerts specifies that existing certificates should not be deleted.
Extract the ISACertTool on each array member, then open a command prompt and execute the following command:
isacerttool.exe /fw filename
/fw filename installs the root CA certificate in the local computer store. filename is the path and name of the root CA certificate.
Connect
Richard Hicks' Forefront TMG Blog 
FYI – the tool name has a typo. Should be ISACERTTOOL.EXE.
A couple of other things that readers might find helpful:
1. A lot of people struggle with obtaining the .PFX file. GoDaddy and others typically offer .CRT files. You need to complete the SSL install on the original IIS server which will install the certificate on the server, then export it from the Certificates MMC (and during the export, you can choose to include the private key which will get you the required .PFX file).
2. ISACertTool isn’t really installed. It is extracted. And it is best to extract it to the program directory where ISA is installed (default is C:\Program Files\Microsoft ISA Server). Otherwise, the tool will complain about a missing .DLL.
3. To simplify the procedure, copy your .PFX file to the same directory. Then, you won’t have to specify a path when you use the /st switch.
4. If you are using a public CA (as is typical with ISA implementations), you won’t need to worry about the root CA certificate in most cases (as those will be there by default with your Windows operating system installation).
Finally… it is important to test and verify… BUT… if you old cert isn’t expired, how do you verify? The best way I’ve found is to launch the Certificates MMC, specify the local computer (ISA CSS), then specify a service account (which should be ISASTGCTRL). The old and new certificate should be listed there (which indicates a successful installation. Of course, the ISACertTool should give you a success message too.
I’ll post this info to my blog at http://pyhooya.blogspot.com too.
Thanks for the additional information, and for bringing the typo to my attention! 🙂 I’ll add the link to your addendum post as well.
http://pyhooya.blogspot.com/2010/10/renew-or-replace-isa-2006-ssl.html
To article ***** five stars rating.
Just one tiny little thing to add is that the isacerttool needs to be run from “c:\programe files\Microsoft ISA server” directory otherwise you’ll get an error about msfpc.DLL.
Thanks very useful post!
Glad you like the post, and thanks for the tip too! 😀
FYI – the URL for the link above has been changed. The new URL is:
http://briansvidergol.blogspot.com/2010/10/renew-or-replace-isa-2006-ssl.html
Thanks for the heads-up! 🙂