Create a New Certificate

Topic Last Modified: 2009-01-25

This topic describes how to configure a new certificate for an Office Communications Server 2007 R2 server.

To configure a new certificate

  1. Log on to the server for which you want to configure a certificate with an account that is a member of the Administrators and the RTCUniversalServerAdmins group and has permissions to request a certificate from your certification authority (CA).

  2. Do one of the following:

    • Insert the Microsoft Office Communications Server 2007 R2 CD, and then click one of the following:
      • Enterprise Edition
      • Standard Edition
    • If you are installing from a network share, browse to the \setup\amd64\ folder on the network share, and then double-click one of the following:
      • setupEE.exe
      • setupSE.exe
  3. In the deployment tool, do one of the following:

    • Click Deploy Pools in a Consolidated Topology.
    • Click Deploy Standard Edition Server.
  4. At Configure Certificate, click Run.

  5. On the Welcome to the Certificate Wizard page, click Next.

  6. On the Available certificates tasks page, click Create a new certificate, and then click Next.

  7. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

  8. On the Name and Security Settings page, do the following:

    • Under Name, type a meaningful name for the certificate that this server will use for Office Communications Server communications.

    • Under Bit length, select the bit length that you want to use for encryption.

      Note

      A higher bit length is more secure, but it can degrade performance.

    • Clear the Mark cert as exportable check box.

  9. Click Next.

  10. On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next.

  11. On the Your Server’s Subject Name page, do the following:

    • In Subject name, verify that the pool fully qualified domain name (FQDN) is displayed.

    • In Subject Alternate Name, verify that the required entries exist. Optionally, click Subject Alternate Name, and then type any alternate names that identify the pool during authentication.

      Note

      Subject alternate names (SANs) are required on your server for each supported Session Initiation Protocol (SIP) domain in the format sip.<domain> if all of the following are true:

      • Your organization supports multiple SIP domains.
      • Clients are using automatic configuration.
      • This pool is used to authenticate and redirect client sign in or this is the first Standard Edition server to which clients connect.
      If you selected the option to configure clients for automatic sign-in or selected the Enterprise Edition server option to configure this pool to redirect sign-in requests when you ran Configure Pool Wizard, the certificate wizard automatically adds these SIP domains to the certificate request.
    • To include the local computer name on the list of alternate names that identify the pool during authentication, select the Automatically add local machine name to the Subject Alt Name check box.

  12. Click Next.

  13. On the Geographical Information page, enter the Country/Region, State/Province and City/Locality (do not use abbreviations), and then click Next.

  14. On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory Domain Services (AD DS). Do one of the following:

    • Click Select a certificate authority from the list detected in your environment, and then click your CA in the list.
    • Click Specify the certificate authority that will be used to request this certificate, and then type the name of your CA in the box, using the format <FQDN of CA>\<CA instance>. For example, CA.contoso.com\CAserver1. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK.
  15. Click Next.

  16. On the Request Summary page, review the settings that you specified, and then click Next.

  17. On the Assign Certificate Task page, click Assign certificate immediately, and then click Next.

  18. On the Configure the Certificate(s) of Your Server page, click Next.

  19. Click Finish.

  20. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA). If your CA is configured for automatic approval, proceed to the next procedure. If your CA requires CA administrator approval to issue a certificate, the administrator must manually approve or deny the certificate issuance request on the issuing CA before you can assign it.