Share via

Installing Certificates for Communicator Web Access

  • Article

[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]

Certificates from a trusted certification authority (CA) must be installed on the computer where you will create the virtual servers before you install Communicator Web Access. If you plan to configure Communicator Web Access server to use HTTP with SSL (HTTPS), the certification chain for the same CA must be installed on all computers that use the Communicator Web Access client for desktop sharing.

This topic describes procedures to download a certificate chain, install the certificate chain, request a certificate, and then install the certificate using a Microsoft Windows Server 2003 SP1 or later public key infrastructure (PKI) that has not implemented automatic enrollment. If you are using Microsoft Windows Server 2003 SP1 or later PKI and you set up automatic enrollment when you deployed the PKI for Office Communications Server, you do not have to use the procedures in this topic. Instead, users who are authenticated in Active Directory can be automatically enrolled in a certificate through a group policy. For information about PKI best practices, see "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" at https://go.microsoft.com/fwlink/?LinkId=124314. For detailed information about certificate configuration, see Preparing Certificates for Communicator Web Access.

The certificates that are used for the 2007 R2 version of Communicator Web Access and the certificates that are used for Office Communications Server 2007 R2 can be issued by the same trusted CA or different CAs. For example, if you deployed a Windows Server 2003 SP1 or later enterprise root CA for the MTLS and SSL certificates on Office Communications Server, you can use the same CA when you request the MTLS and SSL certificates on Communicator Web Access.

If you are using a public CA for the MTLS and SSL certificates, we recommend that you follow the instructions provided by the public CA to obtain and install certificates for Communicator Web Access, and then skip to Installing and Activating Communicator Web Access.

Download and Install the Certificate Chain

Note

The following procedures assume that the server and the user can access the internal certification authority by using the physical network and Certificate Services Web enrollment. We recommend that you not use the Web enrollment component for computers that are not in your internal network.

Download and install the certificate chain to establish trust with the certification authority (CA) that will issue your certificates.

To download the CA certification path

  1. Log on to the computer as a member of the Administrators group.

  2. Open a Web browser. In the address bar, type https://<CA_FQDN>/certsrv, and then press ENTER.

    https://<CA_FQDN>[:<port_number>]/certsrv

  3. Under Select a task, click Download a CA certificate, certificate chain, or CRL.

  4. Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.

  5. In the File Download dialog box, click Save.

  6. Save the .p7b file to the hard disk on your server. If you open this .p7b file, the chain will have the following two certificates:

    • <name of enterprise root CA> certificate
    • <“name of enterprise subordinate CA”> certificate

To install the CA certification path

  1. Click Start, and then click Run. In the Open box, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add.

  4. In the list of Available Standalone Snap-ins, select Certificates.

  5. Click Add.

  6. Select Computer account, and then click Next.

  7. In the Select Computer dialog box, ensure that Local computer (the computer this console is running on) is selected, and then click Finish.

  8. Click Close, and then click OK.

  9. In the left pane of the Certificates console, expand Certificates (Local Computer).

  10. Expand Trusted Root Certification Authorities.

  11. Right-click Certificates, point to All Tasks, and then click Import.

  12. In the Import Wizard, click Next.

  13. Click Browse, and then go to the location where you saved the certificate chain. Select the .p7b file, and then click Open.

  14. Click Next.

  15. Accept the default value Place all certificates in the following store. Under Certificate store, ensure that Trusted Root Certification Authorities appears.

  16. Click Next.

  17. Click Finish.

Request and Install the MTLS Certificate

After you download and install the certificate chain, you are ready to request and install the MTLS certificate on the Communicator Web Access server.

To request the MTLS certificate

  1. On the server where you will install the certificate, open the Web browser. In the address bar, type https://<CA_FQDN>/certsrv, and then press ENTER.

  2. Click Request a Certificate.

  3. Click Advanced certificate request.

  4. Click Create and submit a request to this CA.

  5. In the Certificate Template list, select the name of the duplicated Web Server template that you duplicated for the Office Communications Server 2007 R2 certificates.

  6. Under Identifying Information for Offline Template in the Name box, type the FQDN of the Communicator Web Access server.

  7. Ensure that the Mark keys as exportable check box is selected.

  8. In the Key Options area, select the Store certificate in the local computer certificate store check box.

  9. Click Submit.

  10. If a potential scripting violation warning appears, and you understand and accept the implications, click Yes (required to continue).

Now that you have requested the certificate, you can install it.

To install the MTLS certificate

  1. On the server where you will install Communicator Web Access, open the Web browser. In the address bar, type https://<CA_FQDN>/certsrv, and then press ENTER.

  2. Click Install this certificate.

  3. If a potential scripting violation warning appears, and you understand and accept the implications, click Yes.

  4. Click Start, and then click Run. In the Open box, type mmc, and then click OK.

  5. On the File menu, click Add/Remove Snap-in.

  6. In the Add/Remove Snap-in dialog box, click Add.

  7. In the list of Available Standalone Snap-ins, click Certificates.

  8. Click Add.

  9. Click Computer account, and then click Next.

  10. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.

  11. Click Close, and then click OK.

  12. In the left pane of the Certificates console, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.

  13. Confirm that the certificate that you just requested and installed is located in this folder. If it is not, copy it from the Certificates folder under the Personal folder node, just above.

Request and Install the SSL Certificate

The procedures for requesting and installing the SSL certificate are similar to the procedures for creating the MTLS certificate. An SSL certificate from a trusted CA must be installed on the following computers:

  • all Communicator Web Access virtual servers that are configured to use HTTP with Secure Sockets Layer (HTTPS)*
  • any load balancer that is associated with an array of Communicator Web Access servers and is also configured as an SSL accelerator to perform SSL decryption (required for load balancers for external virtual servers)
  • any reverse proxy that is used to publish a Communicator Web Access virtual server to the Web for external users

Note

*If Communicator Web Access server is configured to use HTTPS, all computers that use the Communicator Web Access client for desktop sharing are required to download and install the certificate chain for the CA that issued the Communicator Web Access SSL certificate.

Note

If you have deployed a reverse proxy that uses a different URL on its external and internal interfaces, a separate SSL certificate is required for each interface. On the external interface of the reverse proxy, use a certificate with the FQDN of the reverse proxy as the subject name and, on the internal interface, use a certificate with the URL of the Communicator Web Access server as the subject name.
For detailed information about SSL certificate requirements for a reverse proxy and procedures to install an SSL certificate on the reverse proxy, see “Digital Certificates for ISA Server 2004” at https://go.microsoft.com/fwlink/?LinkID=124312.

To request the SSL certificate

  1. Log on to the computer as a member of the Administrators group.

  2. Open the Web browser. In the address bar, type https://<CA_FQDN>/certsrv, and then press ENTER.

  3. Click Request a Certificate.

  4. Click Advanced certificate request.

  5. Click Create and submit a request to this CA.

  6. In the Certificate Template list, select the name of the duplicated Web Server template that you duplicated for the Office Communications Server 2007 certificates.

  7. Under Identifying Information for Offline Template in the Name box, type the URL of the Communicator Web Access virtual server.

  8. In the Attributes box, type im.<URL_of_the_virtualserver>, as.<URL_of_the_virtualserver>, download.<URL_of_the_virtualserver>, as specified in the DNS records that you created for your Communicator Web Access deployment.
    For more information about configuring a Subject Alternate Name, see the Microsoft Knowledge Base article “How to add a Subject Alternative Name to a secure LDAP certificate” at https://go.microsoft.com/fwlink/?LinkId=124340

  9. Ensure that the Mark keys as exportable check box is selected.

  10. In the Key Options area, select the Store certificate in the local computer certificate store check box.

  11. Click Submit.

  12. If a potential scripting violation warning appears, and you understand and accept the implications, click Yes (required to continue).

Submit a Request to a Third-Party Certification Authority

You can submit a certificate request to a third-party certification authority (CA). However, the third-party CA must be able to process certificate requests in the Certificate Management protocol using CMS (Public Key Infrastructure) format.

To submit a request to a third-party CA

  1. Use the Certreq.exe command-line tool to create an offline certificate request file.

  2. Contact the third-party CA for information about how to submit a certificate request.