Re: Apache 2.x for Windows running behind ISA 2004 - intermediate certificate not trusted
- From: "ZVR" <no_spam_ever@xxxxxx>
- Date: Thu, 3 Aug 2006 22:43:07 -0400
I assume you are publishing the Apache web site via web publishing in ISA
2004.
If that is the case and you want to use SSL bridging (people connect to ISA
via https, then ISA decrypts the request, inspect the content, and forwards
it to Apache), you need to perform the following steps:
1. Install the Apache certificate on the ISA Server machine, in the
"Personal" folder of the "Local Computer" store, and create a SSL listener
on ISA using that certificate. You will need to import a PFX file containing
both the certificate and the corresponding private key.
2. Install goDaddy's own certificate (the certificate of the certification
authority that issued your Apache cert) into the "Trusted Root Certification
Authorities" folder of the "Local Computer" store.
You may want to reboot after you perform 1) and 2) above. After that your
SSL bridging should work. If the instructions above are not clear, take a
look at the following article:
Publishing Web Servers with ISA 2004:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
(See the "SSL bridging" section as well as the rest of the document - it is
a very good one indeed.)
Note: a simpler way to publish your Apache server is to just use HTTPS
server publishing instead of web publishing. This however does not offer the
same degree of security - requests are simply forwarded to the Apache server
without being decrypted and inspected by ISA. You could use this as an
intermediate step until you figure out the proper procedures for SSL
bridging.
Virgil
<verticalrabbit@xxxxxxxxx> wrote in message
news:1154655477.930968.49200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm new to ISA 2004 but as I thought it would be intuitive, I dove
right in and have been losing sleep ever since. To be brief - Windows
2003 with Apache for Windows 2.x running with SSL v3 certificate
installed, downloaded from GoDaddy.com. They use an intermediate
certificate and this seems to be causing all the trouble.
I generated my csr, obtained my certificate and installed the server
and intermediate keys along with the private key on apache (pointed the
ssl.conf file to the cert location). The problem is that when I attempt
to roll over or redirect the apache server to the application server,
or try to use the java based help from within, the "security
certificate was issued by a company that's not valid" and "The security
certificate has not expired and is still valid."
I only get this problem when trying to put the firewall between the
server and the client - which is the goal of a firewall, of course.
The certificate just seems to not be coming accross correctly - or is
not showing the root CA - although all three have been installed
(including using openssl on apache to create a p12 certificate that
includes the private key.
Please help - I'm under a deadline.
.
- References:
- Prev by Date: Re: Licensing of ISA 2004 Standard
- Next by Date: Re: move ISA 2004 logging to SQL 2005?
- Previous by thread: Apache 2.x for Windows running behind ISA 2004 - intermediate certificate not trusted
- Next by thread: Re: ISA Internet Disconnect
- Index(es):
Relevant Pages
|
