My experience dealing with ISA Server cases on the daily basis showed me that Certificates are a delicate subject. Is the type of thing that it’s initially simple, but when it expires it can be a pain and can bring your ISA Server down if you don’t plan ahead the renew process.
In this economical turmoil that we leave is getting quiet normal that the IT Pro that before was only responsible for administer his Messaging system is now “promoted” to administer the AD infrastructure and the company’s firewall. The result sometimes is quiet frustrating because lack of documentation, no knowledge transfer and higher pressure to keep things working.
I remember one scenario where the new IT guy was in the company for only 2 weeks when his ISA Server stopped working and the whole Internet was down. Panic and clueless about what was going on happened and this IT guy contacted us. We found out that his certificate was expired and Firewall Service was not starting (see an article about that in ISA Blog next week). The problem during that time was that he had no idea about their PKI infrastructure, who was the Root CA that issues the certificate, etc. Bottom line: a case that was supposed to take 5 minutes if we have all the info that we need took 5 hours.
Last month our supportability team asked me to write an article about Certificates that could help in scenarios like this. Took me some time to repro the most common issues and document those, some members of our team reviewed (see tech reviewers in the article) and yesterday this article was published. Take a look at http://technet.microsoft.com/en-us/library/dd547090.aspx