Begin and End Tags on Certificates: Gone in Communications Server 2007 R2?
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Communications Server 2007 R2 provides a Certificate Wizard to ease the process of creating certificates. However, it appears that the certificate signing request (CSR) does not contain all the information necessary for some certification authorities (CAs). The purpose of this article is to create awareness and provide guidance for working around this issue.
Author: Rick Kingslan
Publication date: February 2010
Product version: Windows Server 2008, Office Communications Server 2007 R2
Introduction
Communications Server 2007 R2 uses certificates to authenticate server-to-server communication and to encrypt client and server communication. To ease the process of creating the certificates that you need, Communications Server provides a Certificate Wizard. However, there have been verified reports that the certificate signing request (CSR) does not contain all of the information necessary for some certification authorities (CAs).
This article is for awareness only, and provides guidance for working around the issue as it exists today.
The Problem with the Certificate Wizard
The certificate wizard is responsible for a lot of tasks that you perform when you create a certificate for a given server. It has to collect all of the information that will be assigned to defined attributes and it has to output the encoded CSR.
Usually, you need a CSR when your intent is to send the request off to a public CA or to submit to an offline CA. Otherwise, the certificate wizard can submit the request directly to an online CA. The problem that we are discussing is specifically related to an offline CSR generated with the certificate wizard included with Microsoft® Office Communications Server 2007 R2 on Windows Server® 2008. If you request the CSR and then view it, you will see something similar to the following in Figure 1.
Figure 1. Certificate signing request with missing tags
.jpg "Certificate signing request with missing tags")
However, there is something missing-the BEGIN and END tags that normally appear on the first and last line of the CSR as shown in Figure 2.
Figure 2. BEGIN and END tag lines
.jpg "BEGIN and END tag lines")
As a result of the BEGIN/END tags missing, some CAs may not accept the CSR.
Note
Because LCSCmd and the Deployment Wizard, and thereby the Certificate Wizard, leverage the same underlying engines, LCSCmd exhibits the same problem and is not a remedy in this case.
Workaround
The easiest fix for this particular problem is to append the BEGIN and END tags to the Certificate Wizard offline request file. This method requires a process to test the CSR before sending it to your CA, thereby reducing the likelihood of difficulty troubleshooting problems with certificate failures. Fortunately, there are sites where you can test your CSR to confirm that appending the BEGIN and END tags will work. The Web site, Check your CSR, is one of these sites and is available at https://www.spacereg.com/a.rpl?m=checkcsr.
One point of interest specific to this site over other sites that we tested for this article is that this site fails correctly by telling you that the data is incorrect, as shown in Figure 3. Other Web sites failed gracefully, or just assumed that you had forgotten the tags and added them for you, which is not very helpful in this case.
Figure 3. Error output from the CheckCSR application
.jpg "Error output from the CheckCSR application")
But, if we are to take the same CSR output and append the BEGIN and END tags, the CheckCSR Web application outputs the following information shown in Figure 4.
Figure 4. Output from CheckCSR with BEGIN and END tags appended to encoded CSR
.jpg "Output from CheckCSR with BEGIN and END tags")
What this proves is that using our output CSR and appending the BEGIN and END tags does work.
Summary
Although the issue with the CSR output missing the BEGIN and END tags is annoying, it’s not detrimental. Fixing it is as simple as appending the missing tags back onto the CSR, and then sending the resulting combined data off to the CA. Of course, testing it to determine that it is valid first is a best practice.
Additional Information
To learn more, check out the following articles:
Create a New Certificate, https://go.microsoft.com/fwlink/?LinkId=179924
Process an Offline Certificate Request and Import the Certificate, https://go.microsoft.com/fwlink/?LinkId=179925
Office Communications Server 2007 and 2007 R2 Certificate Guide.doc on the Microsoft Office Communications Server 2007 R2 Documentation downloads page, https://go.microsoft.com/fwlink/?LinkId=163250
Office Communications Server Resources
Visit the Office Communications Server main page at https://go.microsoft.com/fwlink/?LinkId=132607.
View the complete Office Communications Server documentation library at https://go.microsoft.com/fwlink/?LinkId=132106.
Follow tweets from the Office Communications Server team at https://go.microsoft.com/fwlink/?LinkId=167909.
Download all the Office Communications Server content as a Word document at https://go.microsoft.com/fwlink/?LinkId=133609.
Download all the Office Communications Server content as a compiled help file at https://go.microsoft.com/fwlink/?LinkId=160355. (Make sure you scroll down to the Additional Information section to download OCSDocumentation.chm.)