Comments on: Communicator Web Access (CWA) requires Server 2003+ Enterprise Edition CA

By: Anthony

Anthony — Wed, 04 Nov 2009 23:20:20 +0000

Tom,

When you say SAN entries are supported, how can multiple SANS be entered? BTW, option 1 seemed to work great although it seems to completely cut out the Cert Authority server and just provides trust between the OCS FE and CWA server. Is that okay?

By: Trapper

Trapper — Wed, 28 Oct 2009 20:47:54 +0000

This worked great. But I think you could get the same results by requesting the cert via the OCS MMC on another server. Set a SAN if you're using something other than the FQDN for the CWA sitename and export/import the cert onto the CWA server.

By: Trapper

Trapper — Wed, 28 Oct 2009 20:43:43 +0000

I tried Tom's second option and it didn't work because I neglected to put in a SAN for the site's URL that we use internally. We had previously been working with one cert in IIS and a separate one for CWA, no SAN in either one. How this arrangement ever worked or why we used two certs originally escapes me. Tom, do you remember?

I called Microsoft and here's how they recommended I get a cert with a SAN from an internal 2003 Standard Edition CA: (To be clear, he didn't exactly 'recommend' this, I think the support engineer said something like "this might work" before I ran it.)

Run this in the command line on the CA:
certutil -setreg policyEditFlags +EDITF_AttributesubjectAltname2

Then I requested my cert from certsrv website, advanced request, server FQDN in name field, server auth cert type, marked key as exportable and store in local computer store, then in the attributes field I entered:

SAN:DNS=sitename.domain.local&DNS=server.domain.local

I added a friendly name, submitted, issued, then installed the cert via certsrv site.

By: Will

Will — Fri, 11 Sep 2009 20:38:01 +0000

I installed the Administrative Tools on the CWA server but could not find it. I used the Certificate Wizard on the Front End server. Thanks for your help.

By: Elan Shudnow

Elan Shudnow — Fri, 11 Sep 2009 18:01:43 +0000

OCS 2007 R1 or R2?

By: Will

Will — Fri, 11 Sep 2009 12:30:31 +0000

I believe you and I would like to do the same thing… I do not know where to launch the OCS Certificate Wizard from the OCS Admin Console. I can do it through the Deployment Wizard but I can't seem to find it in the Console.

By: Elan Shudnow

Elan Shudnow — Fri, 11 Sep 2009 00:46:00 +0000

I've been using the OCS Certificate Wizard on the FE ever since Tom made this post to create my CWA certificates. I've also used LCSCMD to do this. Both work fine.

By: Will

Will — Thu, 10 Sep 2009 21:06:03 +0000

How do you use the OCS admin console on your CWA box and issue a certificate using the OCS certificate wizard?

By: Elan Shudnow

Elan Shudnow — Sat, 09 Aug 2008 03:41:39 +0000

So I have a theory after looking at some stuff. The OCS documentation states that OCS requires the Web Server template to be available. Now the default template is named “Web Server.” But if you look at the detail of the certificate and look at the Certificate Template Name, it states “WebServer.” So because the names are different but it requires the Web Server, I think your assumption about OCS using its’ own temporary template is correct. I think that OCS basically uses the Web Server template, and somehow works with the CA to allow it to make a certificate based off of a temporary version 2 template so to speak and then removes it after the certificate is made. I’ll have to eventually try making a version 2 template called “WebServer” and seeing what happens out of curiousity.

By: Tom Pacyk

Tom Pacyk — Fri, 08 Aug 2008 20:50:46 +0000

No problem.

I can’t remember exactly, but I want to say the OCS cert wizard uses its own template to request the cert, hence the ability to export the private key and have SANs on it as well. It could very well be some advanced options it spits at the CA instead of a different template, but either way – you get the exact cert type you need by using that method.

And as an aside, there’s a little trick you can do with the regular Web Server template the does allow you to export the private key without duplicating the template.

Fill out the cert info as normal, pick the web server template. The “Mark private key as exportable” checkbox is grayed out. Press Submit. Instead of clicking the link to install the cert you generated, hit the back button on the browser. “Mark private key as exportable” is no longer grayed out! Check the box, press Submit again and voila – you get a cert you can export with the private key.