After setting up certificates for the internal interface, you are ready to set up the certificates for the external interface.

For a list of certificate requirements for the external interface of your Edge Servers, see Certificate Requirements for External User Access. For a list of public CAs that provide certificates that comply with specific requirements for unified communications certificates and have partnered with Microsoft to ensure they work with the Office Communications Server Certificate Wizard, see article Microsoft Knowledge Base 929395, “Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007,” at http://go.microsoft.com/fwlink/?LinkId=140898 .

Configuring the Certificates on the External Interfaces

You must set up two certificates on the external interface of each Edge Server—one for the Access Edge service on that server, and one for the Web Conferencing Edge service. To do this, complete all of the procedures in this section:

  • Step 1: Create the certificate request for the external interface of the Edge Server.

  • Step 2: Submit the request to your public certification authority (CA).

  • Step 3: Import the certificate for the external interface of each Edge Server.

  • Step 4: Assign the certificate for the external interface of each Edge Server.

    Note:
    When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (that is, specific user and group names) are allowed to request, issue, manage, or read certificates.

To create the certificate request for the external interface of the Edge Server

  1. On the Edge Server, in the Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available taskspage, click Create a new certificate, and then click Next.

  4. On the Delayed or Immediate Requestpage, select the Prepare the request now, but send latercheck box, and then click Next.

  5. On the Name and Security Settingspage, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), verify that the Mark certificate as exportablecheck box is selected, and then click Next.

  6. On the Organization Informationpage, type the name for the organization and the organizational unit (for example, a division or department), and then click Next.

  7. On the Your Server's Subject Namepage, type or select the subject name and subject alternate name of the Edge Server:

    • The subject name should match the fully qualified domain name (FQDN) of the server published by the external firewall for the external interface on which you are configuring the certificate. For the external interface of the Access Edge Server, this certificate subject name should be sip.< domain>.

    • If multiple Session Initiation Protocol (SIP) domain names exist and they do not appear in Subject alternate name, type the name of each additional SIP domain as sip.< domain>, separating names with a comma. Domains entered during configuration of the Access Edge Server are automatically added to this box.

    Note:
    For the subject alternate name, wildcard character naming is allowed. The wildcard character works for one domain level in the name. For example, if you type *.contoso.com as the Subject Alternate Name, names such as a.contoso.com and b.contoso.com would be validated, but a.a.contoso.com would not.

    Wildcard character naming is only supported for allowed and discovered partner domains, not for instant messaging (IM) provider federation.
  8. Click Next.

  9. On the Geographical Informationpage, type the location information, and then click Next.

  10. On the Certificate Request File Namepage, type the full path and file name of the file to which the request is to be saved, and then click Next.

  11. On the Request Summarypage, click Next.

  12. On the Certificate Wizard Completedpage, verify successful completion, and then click Finish.

  13. Copy the output file to a location where you can submit it to the public CA.

To submit a request to a public certification authority

  1. Open the output file.

  2. Copy and paste the contents of the Certificate Signing Request (CSR) into the appropriate text box beginning with:

    Copy Code
    		 -----BEGIN NEW CERTIFICATE REQUEST-----
    

    And ending with:

    Copy Code
    		 -----END NEW CERTIFICATE REQUEST
    
  3. If prompted, specify the following:

    • Microsoft as the server platform.

    • IIS as the version.

    • Web Server as the usage type.

    • PKCS7 as the response format.

  4. When the public CA has verified your information, you will receive an e-mail message containing text required for your certificate.

  5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local computer.

  6. Download the root CA chain of the public CA and install it on the local computer store of each Edge Server.

To import the certificate for the external interface of the Edge Server

  1. Log on to the Edge Server as a member of the Administrators group.

  2. In the Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  3. On the Welcomepage of the Communications Certificate Wizard, click Next.

  4. On the Available certificate taskspage, click Process the pending request and import the certificate, and then click Next.

  5. Type the full path and file name of the certificate that you requested for the external interface of the Edge Server, and then click Next.

  6. Click Finish.

  7. Repeat this procedure for each Edge Server in your deployment that requires a certificate on the external interface.

To assign the certificate for the external interface of the Edge Server

  1. In Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Taskspage, click Assign an existing certificate, and then click Next.

  4. On the Available Certificatespage, select the certificate that you requested for the external interface of the Edge Server, and then click Next.

  5. On the Available certificate assignmentspage, select the external interface where you want to install the certificate, and then click Next.

  6. Review your settings, and then click Nextto assign the certificates.

  7. On the wizard completion page, click Finish.

  8. Repeat this procedure for each Edge Server in your deployment that requires a certificate on the external interface.