Certificate Infrastructure Support
Topic Last Modified: 2009-05-07
Office Communications Server 2007 R2 requires a public key infrastructure (PKI) to support Transport Layer Security (TLS) and mutual TLS (MTLS) connections. By default, Office Communications Server 2007 R2 is configured to use TLS for client-to-server connections. MTLS is used for connections between servers.
MTLS certificates must be issued by trusted certification authorities (CAs) for both Communicator Web Access and Office Communications Server, but the issuing CA can be different for Communicator Web Access and Office Communications Server.
Certificates that are issued from the following types of CAs are supported for both Office Communications Server and Communicator Web Access:
Certificates issued from an internal CA
Windows Server 2008 CA
Windows Server 2003 SP1 Enterprise CA (recommended)
Windows Server 2003 SP1 Standalone CA (supported, but not recommended)
- Windows Server 2008 CA
Certificates issued from a public CA
For a list of public CAs who have partnered with Microsoft to ensure that their certificates comply with specific requirements for Office Communications Server, see Knowledge Base article 929395, “Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007,” at http://go.microsoft.com/fwlink/?LinkId=125763.
For details about specific certificate support and requirements, see Certificate Infrastructure Requirements in the Planning and Architecture documentation.
|Office Communications Server 2007 R2 supports RSA certificates with a length of up to 4,096 bits.|
Certificates for servers running Office Communications Server must be configured with an enhanced key usage (EKU) extension for server authentication.
A Web server certificate is required for the MSN network of Internet services and for Yahoo!. For AOL, the certificate must also be configured for client authentication. For federation and public IM connectivity, a certificate that is issued by a public CA is required. Public IM connectivity requires an additional license.