A certificate chain establishes a "chain of trust" from a certification authority (CA) to an individual certificate. Trust occurs if a valid certificate from that CA can be found in your root certificate directory. As long as you trust the CA, you will automatically trust any other certificates signed by that CA.
If you create your own certificates, your Communicator Web Access (2007 R2 release) server probably already has a chain of trust with your internal CA. If not, you can establish this chain of trust by downloading and installing a certificate chain.
Installing the certificate chain is especially important if your CA is running Windows Server 2003 and your Communicator Web Access server is running Windows Server 2008. Because of changes in Windows Server 2008, you cannot request a certificate from a Windows Server 2003 CA without first installing the certificate chain. If you request a certificate without installing the certificate chain, you will receive the following error message:
Delayed or Immediate Request: The request was submitted to the Certification Authority successfully.
However, request processing failed. Restart the wizard and retry the operation.
Task failed: Failed to generate certificate signing request. Ensure that you have sufficient privileges to perform certificate operations
By installing the certificate chain, you prevent this error from occurring.
To download a certificate chain
-
Log on to the computer as a member of the local Administrators group.
-
Open a Web browser and then, in the address bar, type the URL to the CA. For example, if your certificate server has a fully qualified domain name (FQDN) of certserver.contoso.com, the URL would be https://certserver.contoso.com/certsrv.
-
After connecting to the Welcomepage, click Download a CA certificate, certificate chain, or CRL.
-
On the Download a CA Certificate, Certificate Chain, or CRLpage, click Download CA certificate chain.
-
In the File Downloaddialog box, click Save, and then save the downloaded .p7b file (a file format used to store certificates) to a folder on the local computer.
-
If the Download Completedialog box appears, click Close.
To install a certificate chain
-
Click Start, and then click Run.
-
In the Open box, type mmc, and then click OK.
-
On the Filemenu, click Add/Remove Snap-in.
-
In the Add/Remove Snap-indialog box, click Add.
-
In the list of Available Standalone Snap-ins, select Certificates.
-
Click Add.
-
Select Computer account, and then click Next.
-
In the Select Computer dialog box, ensure that Local computer (the computer this console is running on)is selected, and then click Finish.
-
Click Close, and then click OK.
-
In the left pane of the Certificatesconsole, expand Certificates (Local Computer).
-
Expand Trusted Root Certification Authorities.
-
Right-click Certificates, point to All Tasks, and then click Import.
-
In the Import Wizard, click Next.
-
Click Browse, go to the location where you saved the certificate chain, select the .p7b file, and then click Open.
-
Click Next.
-
Accept the default value Place all certificates in the following store. Under Certificate store, ensure that Trusted Root Certification Authoritiesappears.
-
Click Next.
-
Click Finish.