This post is about configuring a Unified Access Gateway (UAG) trunk with a SSL certificate using the nCipher HSM cryptographic services provider (CSP).
If you have created a certificate request manually and assigned the certificate to a UAG trunk, activating the UAG configuration may fail with the following error:
Forefront Unified Access Gateway failed to activate the Internet Information Service configuration. This might be due to a problem accessing the site’s certificate in the Certificate Store. Reinstalling the certificate may resolve the problem.
To make UAG work with a SSL certificate that is maintained by a nCipher CSP, you must follow the instructions as described in the Integration Guide Microsoft Internet Information Services IIS (7.0) and nCipher Modules. In my case, I used a Windows Server 2003 certification authority (CA) and therefore CNG keys are not supported. The Thales documentation explains how to create a certificate with a CNG key. I had to slightly modify the request file (as illustrated in step #3 below) to make it work with the Windows Server 2003 CA.
After setting up the HSM security world and making the HSM available to the UAG server, follow these steps:
- Execute the following command in a command window with Administrator permissions to make the web server service depend on the “nFast Server” service:
%NFAST_HOME%\bin\ncsvcdep.exe –a http
- Make sure that the nCipher Security World Key Storage Provider is available to the system. You can verify the registered CSPs with the following command:
If the CSP is not part of the list of CSPs, execute the CNG configuration wizard from the Start menu.
- Create a certificate request file ncipher.inf that looks similar to the following sample:
Signature= "$Windows NT$
Subject = "CN=app.contoso.com" ; put the public application name here
KeyLength = 2048
MachineKeySet = TRUE
SMIME = FALSE
ProviderName = "nCipher Security World Key Storage Provider"
KeyUsage = 0xf0
HashAlgorithm = SHA1
KeyAlgorithm = RSA
- Compile the certificate request with the following command. This will generate the key material in the HSM and the certificate request in the file system. For related information see also How Certificates Are Created.
certreq –new ncipher.inf ncipher.req
- Submit the ncipher.req file to the certification authority and safe the issued certificate as ncipher.cer.
- Once the certificate was issued by the CA, you have to install the certificate on the UAG computer with the following command:
certreq –accept ncipher.cer
- Once the certificate was installed, it appears in the General tab of any HTTPS trunk configuration. After linking a certificate with a trunk, you must activate the UAG configuration again.