Set Up Certificates for A/V Authentication
Topic Last Modified: 2009-01-22
After configuring the edge certificates for the external and internal interfaces, you are ready to set up the A/V authentication certificates on Edge Servers. The private key of the A/V authentication certificate is used to generate authentication credentials. As a security precaution, you should not use the same certificate for A/V authentication that you use for the internal interface of the Edge Server.
If multiple servers are deployed in a load balanced array, the same A/V authentication certificate must be installed on each Edge Server. This means that the certificate must be from the same issuer and use the same private key.
To set up A/V authentication certificates, use the procedures in this section to do the following:
Step 1: Create the A/V certificate request on the Edge Server.
Step 2: Import the certificate on the first Edge Server.
Step 3: Export the certificate.
Step 4: Import the certificate on the other Edge Servers.
Step 5: Assign the certificate to each Edge Server.
Note
The steps of these procedures are based on using a Windows Server 2003 Enterprise certification authority (CA) or a Windows Server 2003 R2 Enterprise CA and using the same certification path that you used in Set Up Certificates for the Internal Interface. If you are not using the same certification path, you need to download the certification path, install it, and verify that it is in the list of trusted root CAs, as covered in internal interface procedure. For step-by-step guidance for using any other CA, consult the documentation of the CA.
To create the A/V authentication certificate request for Edge Servers
On the Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
Note
If you have multiple Edge Servers in one location in an array, you can run the Communications Certificate Wizard on any one of the Edge Servers.
In the Communications Certificate Wizard, on the Welcome page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Select the Component for Which Certificate Is Requested page, select A/V Authentication Certificate.
On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next.
On the Name and Security Settings page, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), select the Mark the certificate as exportable check box, and then click Next.
On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.
On the Your Server's Subject Name page, in Subject name, type or select the subject name of the A/V Edge service on the Edge Server.
Note
The subject name should match the fully qualified domain name (FQDN) of the A/V Edge Service published by the external firewall, or the FQDN of the VIP used by the A/V Edge Service array on the external load balancer (that is, if the Edge Servers are load balanced).
Click Next.
On the Geographical Information page, type the location information, and then click Next.
On the Certificate Request File Name page, type the full path and file name to which the request is to be saved (or, click Browse to locate and select the certificate), and then click Next.
On the Request Summary page, review the certificate information, and then click Next.
On the Certificate Wizard completed page, verify successful completion, and then click Finish.
After the Enterprise CA creates the request, submit this file to your CA (that is, by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to a location that is accessible by the Edge Server on which you requested the certificate.
To import the A/V authentication certificate on the first Edge Server
On the Edge Server on which you created the certificate request, in the Deployment Wizard, in Deploy Other Server Roles, in Deploy Edge Server, next to Step 4: Configure Certificates for the Edge Server, click Run.
In the Communications Certificate Wizard, on the Welcome page, click Next.
On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next.
On the Process a Pending Request page, type the full path and file name of the certificate that you requested for A/V authentication in the Path and file name box (or, click Browse to locate and select the file), and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
To export the certificate for A/V authentication
On the Edge Server on which you requested and imported the certificate, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
In Communications Certificate Wizard, on the Welcome page, click Next.
On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next.
On the Available Certificates page, in Select a certificate, click the certificate that you imported to this Edge Server, and then click Next.
On the Export Certificate page, in Path and file name, type the full path and file name of to which you want to export the certificate (or, click Browse to locate and select the certificate), and then click Next.
In the Export Certificate Password page, in Password, type the password that will be used to import the certificate on the other Edge Servers, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Copy the exported file to a location or media that is accessible by the other Edge Servers.
To import the certificate for A/V authentication on the other Edge Servers
On each of the other Edge Servers, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
In the Communications Certificate Wizard, on the Welcome page, click Next.
On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next.
On the Import Certificate page, in Path and file name, type the full path and file name of the certificate that you exported from the first Edge Server (or, click Browse to locate and select the certificate), clear the Mark certificate as exportable check box, and then click Next.
In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Repeat this procedure for each Edge Server that will use the same certificate.
To assign the A/V authentication certificate on the Edge Servers
On each Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
In the Communications Certificate Wizard, on the Welcome page, click Next.
On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate that you requested for the Edge Server (in the previous procedure), and then click Next.
On the Available Certificate Assignments page, select the A/V Edge Server check box.
On the Configure the Certificate Settings of Your Server page, review your settings, and then click Next.
On the wizard completion page, click Finish.
After assigning the certificate on each Edge Server, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the A/V authentication certificate is listed.
If your deployment includes an array of Edge Servers, repeat this procedure for each Edge Server.