Export (0) Print
Expand All

Begin and End Tags on Certificates: Gone in Communications Server 2007 R2?

Communications Server 2007 R2

Communications Server 2007 R2 provides a Certificate Wizard to ease the process of creating certificates. However, it appears that the certificate signing request (CSR) does not contain all the information necessary for some certification authorities (CAs). The purpose of this article is to create awareness and provide guidance for working around this issue.

Author: Rick Kingslan

Publication date: February 2010

Product version: Windows Server 2008, Office Communications Server 2007 R2

Communications Server 2007 R2 uses certificates to authenticate server-to-server communication and to encrypt client and server communication. To ease the process of creating the certificates that you need, Communications Server provides a Certificate Wizard. However, there have been verified reports that the certificate signing request (CSR) does not contain all of the information necessary for some certification authorities (CAs).

This article is for awareness only, and provides guidance for working around the issue as it exists today.

The certificate wizard is responsible for a lot of tasks that you perform when you create a certificate for a given server. It has to collect all of the information that will be assigned to defined attributes and it has to output the encoded CSR.

Usually, you need a CSR when your intent is to send the request off to a public CA or to submit to an offline CA. Otherwise, the certificate wizard can submit the request directly to an online CA. The problem that we are discussing is specifically related to an offline CSR generated with the certificate wizard included with Microsoft® Office Communications Server 2007 R2 on Windows Server® 2008. If you request the CSR and then view it, you will see something similar to the following in Figure 1.

Figure 1. Certificate signing request with missing tags

3b8fc43c-d7ab-4dfd-a9f3-a231e4eaca4b

However, there is something missing-the BEGIN and END tags that normally appear on the first and last line of the CSR as shown in Figure 2.

Figure 2. BEGIN and END tag lines

1d5a3d70-2b1f-4af3-98d4-e43a92ee1156

As a result of the BEGIN/END tags missing, some CAs may not accept the CSR.

noteNote:
Because LCSCmd and the Deployment Wizard, and thereby the Certificate Wizard, leverage the same underlying engines, LCSCmd exhibits the same problem and is not a remedy in this case.

The easiest fix for this particular problem is to append the BEGIN and END tags to the Certificate Wizard offline request file. This method requires a process to test the CSR before sending it to your CA, thereby reducing the likelihood of difficulty troubleshooting problems with certificate failures. Fortunately, there are sites where you can test your CSR to confirm that appending the BEGIN and END tags will work. The Web site, Check your CSR, is one of these sites and is available at http://www.spacereg.com/a.rpl?m=checkcsr.

One point of interest specific to this site over other sites that we tested for this article is that this site fails correctly by telling you that the data is incorrect, as shown in Figure 3. Other Web sites failed gracefully, or just assumed that you had forgotten the tags and added them for you, which is not very helpful in this case.

Figure 3. Error output from the CheckCSR application

5e883abb-585c-41b3-aa39-00e87ee7813c

But, if we are to take the same CSR output and append the BEGIN and END tags, the CheckCSR Web application outputs the following information shown in Figure 4.

Figure 4. Output from CheckCSR with BEGIN and END tags appended to encoded CSR

1626f4f1-2e0c-4c33-b337-6bc6a747770a

What this proves is that using our output CSR and appending the BEGIN and END tags does work.

Although the issue with the CSR output missing the BEGIN and END tags is annoying, it’s not detrimental. Fixing it is as simple as appending the missing tags back onto the CSR, and then sending the resulting combined data off to the CA. Of course, testing it to determine that it is valid first is a best practice.

To learn more, check out the following articles:

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft