Background

When the signing certificate is requested, ClearTunnel stores the keys inside the ISA configuration, so the same keys can be imported easily across all ISA servers in an array.

When renewing the signing certificate, ClearTunnel tries to re-use these keys, so that all previously signed and cached web server certificates will still remain valid.

Meaning of the error

If the keys are not found in the ISA configuration, it is not possible to get a new signing certificate using the old keys. This means every certificate cached by ClearTunnel on all servers in the array will become invalid once a new signing certificate is issued. If the old cached certificates are not deleted, then ClearTunnel will not be able to serve HTTPS requests until the problem is corrected.

Remedy procedure

  • In the ClearTunnel "Mode" tab, select "Disabled". Save and apply the configuration change.
  • In ISA Enterprise, wait for this change to be synchronized to the servers.
  • Close the ISA management console.
  • Open mmc.exe
  • Add the "Certificates" plugin, select "Services", "Local computer", then "Microsoft Firewall" service
  • In fwsrv\Personal\Certificates, select all items and delete them.
  • In fwsrv\Intermediate Certification Authorities\Certificates, find only the lines where the "Issued To" value is "ClearTunnelSigning" and delete them.
  • Do this on all ISA servers in the array before proceeding.
  • Open the ISA management console on an ISA server in the array
  • Navigate to the ClearTunnel "Certificates" dialog. The status should now read "Need to request certificate"
  • From this point, request a new certificate by following the normal procedure in the ClearTunnel documentation.
  • Save and apply the ISA changes.
  • Following the documentation, if you have an enterprise array, go to the ClearTunnel Certificates tab on each additional ISA server and install the certificate on them.
  • Restart the Microsoft Firewall service (on each array member).
  • Navigate to the ClearTunnel "Mode" tab and select "Full Bridge". Save and apply the changes.
  • Ensure that HTTPS browsing succeeds, and that the site's certificate is signed by ClearTunnel. You should also verify that the certificate is new by examining its "Valid from" and "Valid to" properties.