For the purposes of this walkthrough, we will use the internal certification authority (CA) for the Standard Edition server, the Communicator Web Access, and the internal interface of the Edge Server. Each server must also have the Trusted Root Certificate installed to the computer account Trusted Root Certification Authorities.

To configure a new certificate

  1. Log on to the server for which you want to configure a certificate with an account that is a member of the Administrators and the RTCUniversalServerAdmins group and has permissions to request a certificate from your certification authority (CA).

  2. Insert the Microsoft Office Communications Server 2007 R2 CD, and then click on Standard Edition

  3. If you are installing from a network share, browse to the \setup\amd64\ folder on the network share, and then double-click setupSE.exe

  4. In the deployment tool, click Deploy Standard Edition Server.

  5. At Configure Certificate, click Run.

  6. On the Welcome to the Certificate Wizardpage, click Next.

  7. On the Available Certificates taskspage, click Create a new certificate, and then click Next.

  8. On the Delayed or Immediate Requestpage, click Send the request immediately to an online certification authority, and then click Next.

  9. On the Name and Security Settingspage, do the following:

    • Under Name, type a meaningful name for the certificate that this server will use for Office Communications Server communications.

    • Under Bit length, select the bit length that you want to use for encryption.

      A higher bit length is more secure, but it can degrade performance.
    • Clear the Mark cert as exportablecheck box.

  10. Click Next.

  11. On the Organization Informationpage, type or select the name of your organization and organizational unit, and then click Next.

  12. On the Your Servers Subject Namepage, do the following:

    • In Subject name, verify that the pool fully qualified domain name (FQDN) is displayed.

    • In Subject Alternate Name, verify that the required entries exist. Optionally, click Subject Alternate Name, and then type any alternate names that identify the pool during authentication.

      Subject alternate names (SANs) are required on your server for each supported Session Initiation Protocol (SIP) domain in the format sip. <domain>if all of the following are true:
      • Your organization supports multiple SIP domains.

      • Clients are using automatic configuration.

      • This pool is used to authenticate and redirect client sign in or this is the first Standard Edition server to which clients connect.

      • If you selected the option to configure clients for automatic sign-in, the certificate wizard automatically adds these SIP domains to the certificate request.

      • To include the local computer name on the list of alternate names that identify the pool during authentication, select the Automatically add local machine name to the Subject Alt Namecheck box.

  13. Click Next.

  14. On the Geographical Informationpage, enter the Country/Region, State/Provinceand City/Locality(do not use abbreviations), and then click Next.

  15. On the Choose a Certification Authoritypage, the wizard attempts to automatically detect any CAs that are published in Active Directory Domain Services (AD DS). Do one of the following:

    • Click Select a certificate authority from the list detected in your environment, and then click your CA in the list.

    • Click Specify the certificate authority that will be used to request this certificate, and then type the name of your CA in the box, using the format <FQDN of CA>\<CA instance>. For example,\CAserver1. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK.

  16. Click Next.

  17. On the Request Summarypage, review the settings that you specified, and then click Next.

  18. On the Assign Certificate Taskpage, click Assign certificate immediately, and then click Next.

  19. On the Configure the Certificate(s) of Your Serverpage, click Next.

  20. Click Finish.

  21. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA). If your CA is configured for automatic approval, proceed to the next procedure. If your CA requires CA administrator approval to issue a certificate, the administrator must manually approve or deny the certificate issuance request on the issuing CA before you can assign it.

Because we are using an internal CA, the certificate is assigned immediately. The next task is to configure the Web Components certificate.

Repeat the process to request a certificate for the Web Components. The FQDN and SAN entries are different for the Web Components. Specifically, use a friendly name that clearly identifies this certificate as being for the Web Components. Use the FQDN ocsse1.litwareinc.comas the subject name and include the web components DNS ocs.litwareinc.comas the SAN entry. Do not assign the certificate immediately. After you complete this step, assign the certificate to the Web Components Server by using the procedure in Walkthrough: Assign the certificate to the Web Components Server using IIS Manager.

See Also