Comments on: Communicator Web Access (CWA) requires Server 2003+ Enterprise Edition CA

By: Elan Shudnow

Elan Shudnow — Sat, 09 Aug 2008 03:41:39 +0000

So I have a theory after looking at some stuff. The OCS documentation states that OCS requires the Web Server template to be available. Now the default template is named “Web Server.” But if you look at the detail of the certificate and look at the Certificate Template Name, it states “WebServer.” So because the names are different but it requires the Web Server, I think your assumption about OCS using its’ own temporary template is correct. I think that OCS basically uses the Web Server template, and somehow works with the CA to allow it to make a certificate based off of a temporary version 2 template so to speak and then removes it after the certificate is made. I’ll have to eventually try making a version 2 template called “WebServer” and seeing what happens out of curiousity.

By: Tom Pacyk

Tom Pacyk — Fri, 08 Aug 2008 20:50:46 +0000

No problem.

I can’t remember exactly, but I want to say the OCS cert wizard uses its own template to request the cert, hence the ability to export the private key and have SANs on it as well. It could very well be some advanced options it spits at the CA instead of a different template, but either way - you get the exact cert type you need by using that method.

And as an aside, there’s a little trick you can do with the regular Web Server template the does allow you to export the private key without duplicating the template.

Fill out the cert info as normal, pick the web server template. The “Mark private key as exportable” checkbox is grayed out. Press Submit. Instead of clicking the link to install the cert you generated, hit the back button on the browser. “Mark private key as exportable” is no longer grayed out! Check the box, press Submit again and voila - you get a cert you can export with the private key.

By: Elan Shudnow

Elan Shudnow — Fri, 08 Aug 2008 17:13:47 +0000

Thanks for the information Tom. What seems odd is that the WebServer Template does not allow you to export a private key. If you look at the Version 1 Template, it doesn’t allow the private key to be exported. If you go onto the certsrv website, the option to export as a private key is greyed out.

But if I go onto my Front End Server, it used the template for Web Server which can see by the properties of the certificate, yet the certificate has the ability to export the certificate with its private key.

So it seems like there is some mechanism in the OCS admin console that allows the certificate request to allow the certificate to be exported with its’ private key even if the template it’s using doesn’t allow that option.

By: Tom Pacyk

Tom Pacyk — Fri, 08 Aug 2008 16:41:39 +0000

In an effort to clear this up…

We’re talking operating system Enterprise vs. Standard edition - not Enterprise CA vs. Standalone CA.

CWA 2007 does not require a Server 2003 Enterprise Edition (Enterprise or Standalone) CA.

The ability to duplicate and modify a certificate template does require a Server 2003 Enterprise Edition, but you don’t necessarily have to do that for OCS. The easy way around this is to just use the OCS Certificate Wizard from the admin console. It provides the correct template (SAN entries supported) and doesn’t require.

Here are 3 alternatives to avoid having to purchase a Server 2003 Enterprise CAL.
- Install the OCS admin console on your CWA box and issue a certificate using the OCS certificate wizard.
- Issue the certificate using the OCS console on a different box, export it with a private key, import into the CWA box
- Issue some advanced certificate options via the certsrv website which will issue the SAN field.
- Use the certreq.exe tool to request a certificate with a SAN.

The latter two options are discussed in more detail here: http://support.microsoft.com/kb/931351/en-us

By: Great CWA Cert infomation « JC’s Blog-O-Gibberish

Great CWA Cert infomation « JC’s Blog-O-Gibberish — Fri, 08 Aug 2008 15:29:31 +0000

[...] CWA Cert infomation Posted on August 8, 2008 by johnacook Communicator Web Access (CWA) requires Server 2003+ Enterprise Edition CA | Elan Shudnow’s Blo… [...]