In your openssl.cnf in the v3_ca section:

  • Change basicConstraints to say:

    critical,CA:true

  • Uncomment the line:

    keyUsage = cRLSign, keyCertSign

Now, perform the following commands

  • openssl req -newkey rsa:1024 -nodes -keyout ClearTunnelSigning.key -out ClearTunnelSigning.csr

  • important: the common name you give below should be ClearTunnelSigning

    openssl ca -config openssl.cnf -extensions v3_ca -infiles ClearTunnelSigning.csr

  • Sign and commit

  • Find the new .pem file (location depends on the openssl.conf)

    openssl pkcs12 -export -out ClearTunnelSigning.pfx -keysig -inkey ClearTunnelSigning.key -in ClearTunnelSigning.pem

Take this pfx to ISA and use it with the InstallCert tool as detailed in Appendix C of the ClearTunnel documentation. You will also need a base-64 encoded file containing the trust chain (public certificates) of your openssl authority structure. These are often stored in .cer files, which can be concatenated together to produce one "chain" file.

A typical installation would use the commands:

cd "\Program Files\Microsoft ISA Server\Collective Software\ClearTunnel"  InstallCert.exe /PFX:ClearTunnelSigning.pfx /Chain:cacert.pem