
A list of steps to create a ClearTunnel signing certificate using OpenSSL instead of a Microsoft certificate authority.
In your openssl.cnf in the v3_ca section:
-
Change basicConstraints to say:
critical,CA:true
-
Uncomment the line:
keyUsage = cRLSign, keyCertSign
Now, perform the following commands
-
openssl req -newkey rsa:1024 -nodes -keyout ClearTunnelSigning.key -out ClearTunnelSigning.csr
-
important: the common name you give below should be ClearTunnelSigning
openssl ca -config openssl.cnf -extensions v3_ca -infiles ClearTunnelSigning.csr
-
Sign and commit
-
Find the new .pem file (location depends on the openssl.conf)
openssl pkcs12 -export -out ClearTunnelSigning.pfx -keysig -inkey ClearTunnelSigning.key -in ClearTunnelSigning.pem
Take this pfx to ISA and use it with the InstallCert tool as detailed in Appendix C of the ClearTunnel documentation. You will also need a base-64 encoded file containing the trust chain (public certificates) of your openssl authority structure. These are often stored in .cer files, which can be concatenated together to produce one "chain" file.
A typical installation would use the commands:
cd "\Program Files\Microsoft ISA Server\Collective Software\ClearTunnel" InstallCert.exe /PFX:ClearTunnelSigning.pfx /Chain:cacert.pem