A single, shared certificate configured on the internal interface is used by the Access Edge, Web Conferencing, and A/V Edge server roles. The certificate must have a subject name that matches the internal FQDN of the server.
Tasks
- Download the CA Certification Path for the Internal
Interface
- Import the CA Certification Path for the Internal
Interface
- Verify That Your CA is in the List of Trusted Root CAs
- Create the Certificate Request for the Internal
Interface
- Assign the Certificate for the Internal Interface
Download the CA Certification Path for the Internal Interface
Procedure W03-DWHO.37: To download the CA certification path for the internal interface
-
Log on to OCSEDGEAV01 using the local Administrator account.
-
Start Microsoft Internet Explorer and browse to http://pkiroot/certsrv. Enter the credentials for Fabrikam\Administrator.
-
Under Select a task, select Download a CA certificate, certificate chain, or CRL, and then select Download CA certificate chain.
-
Download and save the p7b file to the hard disk on the server.
Import the CA Certification Path for the Internal Interface
Procedure W03-DWHO.38: To import the CA certification path for the internal interface
-
On OCSEDGEAV01, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard.
-
On the Available Certificate Tasks page, select Import a certificate chain from a .p7b file.
-
On Import Certificate Chain page, type or browse to the full path and name of the .p7b file.
Verify That Your CA is in the List of Trusted Root CAs
Procedure W03-DWHO.39: To verify that your CA is in the list of trusted root CAs
-
On OCSEDGEAV01, open the Microsoft Management Console (MMC) by running mmc.exe at a command prompt.
-
On the File menu, select Add/Remove Snap-in.
-
Add a certificate snap-in to manage certificate for the local computer (the computer this console is running on).
-
In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
-
In the details pane, verify that your CA (for example, FabrikamCA) is on the list of trusted CAs.
Create the Certificate Request for the Internal Interface
Procedure W03-DWHO.40: To create the certificate request for the internal interface
-
On OCSEDGEAV01, from the Office Communications Server 2007 deployment wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard.
-
On the Available Certificate Tasks page, select Create a new certificate.
-
On the Select the Component for Which the Certificate Is Requested page, select only the Edge Server Private Interface check box.
-
On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority check box.
-
On the Name and Security Settings page, set the following information:
- Name: OCSEDGEAV01.
- Bit length: The bit length that you want to use for encryption.
1024 is recommended.
- Ensure that the Mark cert as exportable check box is
selected.
- Name: OCSEDGEAV01.
-
On the Organization Information page, type or select the name of your organization (for example, Fabrikam) and organizational unit (for example, Hosting).
-
On the Your Server's Subject Name page, do the following:
- In Subject Name, verify that the server FQDN is
displayed (for example, ocsedgeav01.fabrikam.com).
- For this reference architecture, leave the Subject Alternate
Name field blank.
- In Subject Name, verify that the server FQDN is
displayed (for example, ocsedgeav01.fabrikam.com).
-
On the Geographical Information page, enter the Country/Region, State/Province and City/Locality. Do not use abbreviations.
-
On the Choose a Certification Authority page, select specify the certificate authority that will be used to request this certificate, and then enter pkiroot.fabrikam.com\FabrikamCA.
-
Enter the credentials for Fabrikam\administrator.
-
Complete the Certificate Wizard. On the Certificates Wizard completed successfully page, click View and verify the certificate settings.
Assign the Certificate for the Internal Interface
Procedure W03-DWHO.41: To assign the certificate for the internal interface
-
On OCSEDGEAV01, from the Office Communications Server 2007 deployment wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard.
-
On the Available Certificate Tasks page, select Assign an Existing Certificate.
-
On the Available Certificates page, select the internal certificate for the edge server (for example, ocsedgeav01.fabrikam.com).
-
On the Available Certificate Assignments page, select Edge Server Private.