Communicator Web Access uses digital certificates to authenticate servers and users. Before you install Communicator Web Access, you must configure the computer with trusted certificates for MTLS (mutual Transport Layer Security) and Secure Sockets Layer (SSL):

• MTLS certificate
  An MTLS certificate is required on all Communicator Web Access servers and on any load balancer that is associated with an array of Communicator Web Access servers. The MTLS certificate is used to authenticate connections between Communicator Web Access and Office Communications Server 2007. All MTLS certificates must be issued by the same trusted certification authority that issued the MTLS certificates on Office Communications Server 2007.
  

  Important:
  An MTLS connection will succeed only if the subject name for the MTLS certificate is the FQDN (fully qualified domain name) of the Communicator Web Access server.

• SSL certificate
  An SSL certificate is required on all Communicator Web Access servers and on any load balancer that is associated with an array of Communicator Web Access servers. The SSL (Secure Sockets Layer) certificate is used by clients that are connecting to the Communicator Web Access server. Each virtual server that is configured with HTTPS (HTTP with SSL) must have an SSL certificate. The CA that issues the SSL certificate for Communicator Web Access does not have to be the same one that issues the Office Communications Server 2007 SSL certificates or the MTLS certificates.
  

If you are deploying a custom authentication solution, including SSO (single sign-on), or you are publishing Communicator Web Access to the Web by using SSL, there are additional certificates:

• The Communicator Web Access virtual server is enabled for custom authentication, and an ISA Server 2006 with an SSO-enabled Web listener is deployed.
  
• SSL-based Web publishing is introduced.
  

  Note:
  Computers in your Communicator Web Access such as load balancers and reverse proxies may have additional certificate requirements that are imposed by the hardware manufacturer or software vendor. See your vendor documentation for details.

 MTLS Certificates

The MTLS certificate identifies the Communicator Web Access server to the Office Communications Server 2007 server or pool. The subject of the Communicator Web Access certificate, which can be configured in the Communicator Web Access Manager, is always the FQDN of the Communicator Web Access server computer. This certificate must be issued by the same CA that issued the Office Communications Server 2007 MTLS certificates.

The MTLS certificate must be configured as shown in Table 4.

Table 4: MTLS Certificate Configuration Requirements

Certificate Field	Value
Version	3
Template Duplicated	Web Server
EKU	Server Authentication (1.3.6.1.5.5.7.3.1)
Private Key	Enabled for Export
Key Usage	Digital Signature, Key Encipherment (a0)

 SSL Certificates

The SSL certificate authenticates users who are accessing the Communicator Web Access virtual server through a specific URL, which the user enters in a Web browser.

The HTTPS certificate must be configured as shown in Table 5.

Table 5: HTTPS Certificate Configuration Requirements

Certificate Field	Value
Version	3
Template Duplicated	Web Server
EKU	Server Authentication (1.3.6.1.5.5.7.3.1)
Private Key	Enabled for Export
Key Usage	Digital Signature, Key Encipherment (a0)

The subject name of the SSL certificate corresponds to the FQDN of either the server or the load balancer if one is present. On a reverse proxy that is deployed in the perimeter network, the subject name of the SSL certificate corresponds to the FQDN of the reverse proxy. Table 6 summarizes the FQDN of the SSL certificate in several examples.

Table 6: Certificate Requirements

Scenario	Certificate Subject Name
Single Communicator Web Access virtual server on a computer named computer1.contoso.com No Web publishing No load balancing	The server has an SSL certificate whose subject name is the FQDN of the server, in this case, computer1.contoso.com
Two or more Communicator Web Access servers behind a load balancer with a virtual IP (VIP) address of cwaVIP.contoso.com No SSO or SSL Web publishing	Each Communicator Web Access server behind the load balancer has an SSL certificate whose subject name is the FQDN of the load balancer, cwaVIP.contoso.com, regardless of the computer name.
Two or more Communicator Web Access servers behind a load balancer with a VIP of: cwaVIP.contoso.com The VIP is SSL Web published with a reverse proxy that uses the URL cwaPub.contoso.com	Each Communicator Web Access server behind the load balancer has an SSL certificate whose subject name is the FQDN of the load balancer, cwaVIP.contoso.com, regardless of the computer name The subject name of the external network listener certificate is the FQDN of the reverse proxy, cwaPub.contoso.com.

Both NetBIOS names and FQDNs are supported as the subject name of a certificate when you request a certificate from a certification authority. For more information on how to configure certificates by using the NetBIOS name, see "How to Implement SSL with a Stand-Alone Certificate Server in Virtual Server 2005" at http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=sslVS2005.