Appendix B: Sample Certificate
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
The CSR (certificate signing request) generated by the Communications Certificate Wizard that you use to request your certificate varies, depending on the CA you choose. In general it contains the information shown in the following figures. For a list of public certificate authorities that provide certificates that meet specific requirements for Unified Communications certificates and have partnered with Microsoft to ensure they work with the Office Communications Server Certificate Wizard, see the Microsoft Web site at https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=SupportedCAs.
Sample Certificate Requests
Certificate request for a Single Access Edge Server (Exportable=FALSE)
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US"
KeySpec = 1
KeyLength = 1024
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
Certificate request for an array of Access Edge Servers (Exportable=TRUE)
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject= "CN=server1.contoso.com;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
Note
The subject line in the PolicyFileIn.Inf file must contain the following information:
Subject="CN=FQDN of your Access Edge Server or Array ;OU=ProjectName;O=CompanyName;L=City;S=fullNameofState;C=two-letter country/region abbreviation
Most public CAs require strict compliance with the above information.
Examples:
CN=AP1.fabrikam.com;OU=LCS;O=Fabrikam;L=Eugene;S=Oregon;C=US
CN=AParry.marketing.proseware.com ;OU=LCS;O=Proseware;L=Portland;S=Maine;C=US
Table 41 Fields in PolicyFileIn.inf
| Field | Notes |
|---|---|
Signature=$Windows NT$" |
|
Subject="CN=FQDN;OU=Organizational unit;O=Company ;L=city S=state;C=country/region |
CN: The fully qualified domain name of your Access Edge Server or Access Edge Server array (the server or array on which you are installing the certificate) OU: Some division or department O: Company name L :City S: Full state or province name (no abbreviations are accepted) C: Two-letter country/region code |
KeySpec=1 |
Indicates both encryption and signing (standard TLS requirement) |
KeyLength = 1024 |
Must be a power of 2 between 1024 and 4096, inclusive |
Exportable = FALSE (single Access Edge Server) Exportable=TRUE (array of Access Edge Servers) |
FALSE for a single Access Edge Server TRUE for an array of Access Edge Servers |
MachineKeySet = TRUE |
Specifies that the certificate will be put into the local computer store |
SMIME = FALSE |
|
PrivateKeyArchive = FALSE |
|
UserProtected = FALSE |
This field must be set to FALSE; otherwise, RTCSRV will not be able to use it |
UseExistingKeySet = FALSE |
This field must be set to FALSE to generate a new private key |
ProviderName = "Microsoft RSA Schannel Cryptographic Provider" |
SCHANNEL (Windows TLS provider) requirement |
ProviderType = 12 |
SCHANNEL (Windows TLS provider) requirement |
RequestType = PKCS10 |
Can be PKCS10 or PKCS7. Almost all CAs accept PKCS10, so you should leave the request type as PKCS10 |
KeyUsage = 0xa0 |
Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing |
OID=1.3.6.1.5.5.7.3.1 |
Enhanced key usage for server authorization |