• Article

Walkthrough: Configure Certificates

Topic Last Modified: 2009-07-11

For the purposes of this walkthrough, we will use the internal certification authority (CA) for the Standard Edition server, the Communicator Web Access, and the internal interface of the Edge Server. Each server must also have the Trusted Root Certificate installed to the computer account Trusted Root Certification Authorities.

To configure a new certificate

  1. Log on to the server for which you want to configure a certificate with an account that is a member of the Administrators and the RTCUniversalServerAdmins group and has permissions to request a certificate from your certification authority (CA).
  2. Insert the Microsoft Office Communications Server 2007 R2 CD, and then click on Standard Edition
  3. If you are installing from a network share, browse to the \setup\amd64\ folder on the network share, and then double-click setupSE.exe
  4. In the deployment tool, click Deploy Standard Edition Server.
  5. At Configure Certificate, click Run.
  6. On the Welcome to the Certificate Wizard page, click Next.
  7. On the Available Certificates tasks page, click Create a new certificate, and then click Next.
  8. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
  9. On the Name and Security Settings page, do the following:

    • Under Name, type a meaningful name for the certificate that this server will use for Office Communications Server communications.

    • Under Bit length, select the bit length that you want to use for encryption.

      Note

      A higher bit length is more secure, but it can degrade performance.

    • Clear the Mark cert as exportable check box.

  10. Click Next.
  11. On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next.
  12. On the Your Servers Subject Name page, do the following:

    • In Subject name, verify that the pool fully qualified domain name (FQDN) is displayed.

    • In Subject Alternate Name, verify that the required entries exist. Optionally, click Subject Alternate Name, and then type any alternate names that identify the pool during authentication.

      Note

      Subject alternate names (SANs) are required on your server for each supported Session Initiation Protocol (SIP) domain in the format sip.<domain> if all of the following are true:

      • Your organization supports multiple SIP domains.
      • Clients are using automatic configuration.
      • This pool is used to authenticate and redirect client sign in or this is the first Standard Edition server to which clients connect.
      • If you selected the option to configure clients for automatic sign-in, the certificate wizard automatically adds these SIP domains to the certificate request.
      • To include the local computer name on the list of alternate names that identify the pool during authentication, select the Automatically add local machine name to the Subject Alt Name check box.
  13. Click Next.
  14. On the Geographical Information page, enter the Country/Region, State/Province and City/Locality (do not use abbreviations), and then click Next.
  15. On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory Domain Services (AD DS). Do one of the following:
    • Click Select a certificate authority from the list detected in your environment, and then click your CA in the list.
    • Click Specify the certificate authority that will be used to request this certificate, and then type the name of your CA in the box, using the format <FQDN of CA>\<CA instance>. For example, CA.litwareinc.com\CAserver1. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK.
  16. Click Next.
  17. On the Request Summary page, review the settings that you specified, and then click Next.
  18. On the Assign Certificate Task page, click Assign certificate immediately, and then click Next.
  19. On the Configure the Certificate(s) of Your Server page, click Next.
  20. Click Finish.
  21. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA). If your CA is configured for automatic approval, proceed to the next procedure. If your CA requires CA administrator approval to issue a certificate, the administrator must manually approve or deny the certificate issuance request on the issuing CA before you can assign it.

Because we are using an internal CA, the certificate is assigned immediately. The next task is to configure the Web Components certificate.

Repeat the process to request a certificate for the Web Components. The FQDN and SAN entries are different for the Web Components. Specifically, use a friendly name that clearly identifies this certificate as being for the Web Components. Use the FQDN ocsse1.litwareinc.com as the subject name and include the web components DNS ocs.litwareinc.com as the SAN entry. Do not assign the certificate immediately. After you complete this step, assign the certificate to the Web Components Server by using the procedure in Walkthrough: Assign the certificate to the Web Components Server using IIS Manager.