Export (0) Print
Expand All

Set Up Certificates for the External Interface

Communications Server 2007 R2

Topic Last Modified: 2009-01-25

After setting up certificates for the internal interface, you are ready to set up the certificates for the external interface.

For a list of certificate requirements for the external interface of your Edge Servers, see Certificate Requirements for External User Access. For a list of public CAs that provide certificates that comply with specific requirements for unified communications certificates and have partnered with Microsoft to ensure they work with the Office Communications Server Certificate Wizard, see article Microsoft Knowledge Base 929395, “Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007,” at http://go.microsoft.com/fwlink/?LinkId=140898.

You must set up two certificates on the external interface of each Edge Server—one for the Access Edge service on that server, and one for the Web Conferencing Edge service. To do this, complete all of the procedures in this section:

  • Step 1: Create the certificate request for the external interface of the Edge Server.
  • Step 2: Submit the request to your public certification authority (CA).
  • Step 3: Import the certificate for the external interface of each Edge Server.
  • Step 4: Assign the certificate for the external interface of each Edge Server.
    Dd441368.note(en-us,office.13).gifNote:
    When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (that is, specific user and group names) are allowed to request, issue, manage, or read certificates.

  1. On the Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcome page of the Communications Certificate Wizard, click Next.

  3. On the Available tasks page, click Create a new certificate, and then click Next.

  4. On the Delayed or Immediate Request page, select the Prepare the request now, but send later check box, and then click Next.

  5. On the Name and Security Settings page, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), verify that the Mark certificate as exportable check box is selected, and then click Next.

  6. On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department), and then click Next.

  7. On the Your Server's Subject Name page, type or select the subject name and subject alternate name of the Edge Server:

    • The subject name should match the fully qualified domain name (FQDN) of the server published by the external firewall for the external interface on which you are configuring the certificate. For the external interface of the Access Edge Server, this certificate subject name should be sip.<domain>.
    • If multiple Session Initiation Protocol (SIP) domain names exist and they do not appear in Subject alternate name, type the name of each additional SIP domain as sip.<domain>, separating names with a comma. Domains entered during configuration of the Access Edge Server are automatically added to this box.
    Dd441368.note(en-us,office.13).gifNote:
    For the subject alternate name, wildcard character naming is allowed. The wildcard character works for one domain level in the name. For example, if you type *.contoso.com as the Subject Alternate Name, names such as a.contoso.com and b.contoso.com would be validated, but a.a.contoso.com would not.
    Wildcard character naming is only supported for allowed and discovered partner domains, not for instant messaging (IM) provider federation.
  8. Click Next.

  9. On the Geographical Information page, type the location information, and then click Next.

  10. On the Certificate Request File Name page, type the full path and file name of the file to which the request is to be saved, and then click Next.

  11. On the Request Summary page, click Next.

  12. On the Certificate Wizard Completed page, verify successful completion, and then click Finish.

  13. Copy the output file to a location where you can submit it to the public CA.

  1. Open the output file.

  2. Copy and paste the contents of the Certificate Signing Request (CSR) into the appropriate text box beginning with:

             -----BEGIN NEW CERTIFICATE REQUEST-----
    

    And ending with:

             -----END NEW CERTIFICATE REQUEST
    
  3. If prompted, specify the following:

    • Microsoft as the server platform.
    • IIS as the version.
    • Web Server as the usage type.
    • PKCS7 as the response format.
  4. When the public CA has verified your information, you will receive an e-mail message containing text required for your certificate.

  5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local computer.

  6. Download the root CA chain of the public CA and install it on the local computer store of each Edge Server.

  1. Log on to the Edge Server as a member of the Administrators group.

  2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.

  3. On the Welcome page of the Communications Certificate Wizard, click Next.

  4. On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next.

  5. Type the full path and file name of the certificate that you requested for the external interface of the Edge Server, and then click Next.

  6. Click Finish.

  7. Repeat this procedure for each Edge Server in your deployment that requires a certificate on the external interface.

  1. In Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcome page of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next.

  4. On the Available Certificates page, select the certificate that you requested for the external interface of the Edge Server, and then click Next.

  5. On the Available certificate assignments page, select the external interface where you want to install the certificate, and then click Next.

  6. Review your settings, and then click Next to assign the certificates.

  7. On the wizard completion page, click Finish.

  8. Repeat this procedure for each Edge Server in your deployment that requires a certificate on the external interface.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft