ISA Firewall Tip: Keep Track of Your Certificate Expiration Dates

I hadn’t used by Windows Mobile 2003 enabled Samsung i730 phone for a few days. So what did I see when I fired up the phone this morning? An error message in the ActiveSync application indicating that the certificate on the destination server was expired. I confirmed that my phone wasn’t crazy by checking the Event Log on the ISA firewall.


Solving the problem was easy. The first step was to renew the Web site certificate using the IIS Web Site Certificate Wizard. After renewing the OWA site’s Web site certificate, the next step was to export the certificate with its private key to a file. I then copied that file to a USB key and then copied it from the USB key to the ISA firewall (after I enabled the USB interface on the ISA firewall).


At the ISA firewall I changed the configuration of the Web listener used by the OWA Web Publishing Rule to use another certificate and disabled the rule and then saved the changes to storage. I did this to prevent any issues that might pop up when I subsequently deleted the OWA Web site certificate from the ISA firewall’s machine certificate store. After changing the Web site certificate on the Web listener and disabling the Web Publishing Rule, I opened the Certificates MMC and deleted the old OWA Web site certificate from the ISA firewall’s machine Personal certificates store. I then imported the new certificate into the ISA firewall’s machine certificate store from the file I copied from the USB key to the ISA firewall’s hard disk.

After the OWA Web site certificate was installed in the ISA firewall’s local machine certificate store, I went back into the ISA firewall console and changed the Web listener used by the OWA Web Publishing Rule to use the new OWA certificate and enabled the rule and saved the changes to firewall storage.

Total time: 6 minutes and 45 seconds (apprx)

Moral of the story? Keep track of your certificate expiration dates. I’m usually am pretty good at keeping track of these things but this one fell through the cracks. Its easy to do: just create an Outlook Calendar entry for a week before certificate expiration and renew your certificates at that time. Then you’re users won’t complain about those weird “Server Certificate is Expired” messages.



Thomas W Shinder, M.D.




MVP — ISA Firewalls

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top