3.3 Configure Certificates

To configure a new certificate

1. Log on to your Standard Edition server as a member of the Administrators group and the RTCUniversalServerAdmins group. You must also have permission from your certificate authority to request a certificate.

2. Insert the Microsoft Office Communications Server 2007 CD. If you are installing from a network share, go to the \Setup\I386 folder, and then double-click setup.exe. The Deployment Tool will start automatically.

3. Click Deploy Standard Edition Server.

4. At Configure Certificate, click Run.

5. On the Welcome to the Certificate Wizard page, click Next.

6. On the Available Certificate Tasks page, click Create a new certificate, and then click Next.

7. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

8. On the Name and Security Settings page, do the following:

   • Under Name, enter a meaningful name for the certificate that this server will use for Office Communications Server communications.

   • Under Bit length, select the bit length that you want to use for encryption. A higher bit length is more secure, but it can degrade performance.

   • Clear the Mark cert as exportable check box.

9. When you are finished, click Next.

10. On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next.

11. On the Your Server’s Subject Name page, do the following:

    • In Subject Name, verify that the server FQDN is displayed.

    • In Subject Alternate Name, verify that the required entries exist.

      Note

      SANs are required on your server for each supported SIP domain in the format sip.<domain> if all of the following are true:
         Your organization supports multiple SIP domains.
         Clients are using automatic configuration.
         This server is the first server that clients connect to.
      If you configured clients for automatic sign-in, the Certificate Wizard automatically added these SIP domains to the certificate request.

12. When you are finished, click Next.

13. On the Geographical Information page, enter the Country/Region, State/Province, and City/Locality. Do not use abbreviations. When you are finished, click Next.

14. On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory. Do one of the following:

    • Click Select a certificate authority from the list detected in your environment, and then click your certification authority (CA).

    • Click Specify the certificate authority that will be used to request this certificate, and then type the name of your CA in the box in the format <CA_FQDN>\CA_instance> For example, CA.contoso.com\CAserver1. If you type the name of an external CA, a dialog box appears. Type the user name and password that you use for the external CA, and then click OK.

15. When you are finished, click Next.

16. On the Request Summary page, review the settings that you specified, and then click Next.

17. On the Certificates Wizard completed successfully page, click Assign.

18. A dialog box appears and informs you that the settings were applied successfully. Click OK.

19. Click Finish.

20. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA). If your CA is configured for automatic approval, proceed to the next procedure. If your CA requires CA administrator approval to issue a certificate, the administrator must manually approve or deny the certificate issuance request on the issuing CA before you can assign it.

Configuring an Existing Certificate

Assign the Web Components Server (IIS) Certificate

Assign the certificate to the Web Components Server by using the Internet Information Services (IIS) Manager.