[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-18

After setting up certificates for the internal interface, you are ready to set up the certificates for the external interface.

Each Edge Server requires a public certificate on the interface between the perimeter network and the Internet, and the certificate’s SAN must contain the external names of the Access Edge and Web Conferencing Edge FQDNs:

For details about this and other certificate requirements, see Certificate Requirements for External User Access.

For a list of public certification authorities (CAs) that provide certificates that comply with specific requirements for unified communications certificates and have partnered with Microsoft to ensure they work with the Office Communications Server Certificate Wizard, see article Microsoft Knowledge Base 929395, "Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007," at http://go.microsoft.com/fwlink/?LinkId=140898.

To set up a certificate on the external edge interface at a site, use the procedures in this section to do the following:

  1. Create the certificate request for the external interface of the Edge Server.

  2. Submit the request to your public CA.

  3. Import the certificate for the external interface of each Edge Server.

  4. Assign the certificate for the external interface of each Edge Server.

    Note:
    You can request public certificates directly from a public CA (such as from the Web site of a public CA). The procedures in this section use the Certificate Wizard for most certificate tasks. If you chose to request a certificate directly from a public CA, then you will need to modify each procedure as appropriate to request, transport, and import the certificate, as well as to import the certificate chain.

    When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (that is, specific user and group names) are allowed to request, issue, manage, or read certificates.

    If you decide to use the Certificates MMC to import the certificate chain and certificate, you must import them to the certificate store for the computer. If you import them to the user or service certificate store, the certificate will not be available for assignment in the Communications Server Certificate Wizard.

To create the certificate request for the external interface of the Edge Server

  1. On the Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.

    Note:
    If your organization wants to support public IM connectivity with AOL, you cannot use the Deployment Wizard to request the certificate. Instead, use the “To create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL” procedure later in this section.
    Note:
    If you have multiple Edge Servers in one location in a pool, you can run the Communications Certificate Wizard on any one of the Edge Servers.

  2. On the Available Certificate Tasks page, click Create a new certificate request.

  3. On the Certificate Request page, click External Edge Certificate.

  4. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box.

  5. On the Certificate Request File page, type the full path and file name of the file to which the request is to be saved (for example, c:\cert_exernal_edge.cer.

  6. On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, select the Use alternative certificate template for the selected Certificate Authority check box.

  7. On the Name and Security Settings page, do the following:

    • In Friendly name, type a friendly name for the certificate.

    • In Bit length, specify the bit length (typically, the default of 2048).

    • Verify that the Mark certificate private key as exportable check box is selected.

  8. On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department).

  9. On the Geographical Information page, specify the location information.

  10. On the Subject Name/Subject Alternate Names page, the information to be automatically populated by the wizard is displayed. If additional SANs are needed, you specify them in the next two steps.

  11. On the SIP Domain Setting on Subject Alternate Names (SANs) page, select the domain check box to add a sip.<sipdomain> entry to the SAN list.

  12. On the Configure Additional Subject Alternate Names page, specify any additional SANS that are required.

  13. On the Request Summary page, review the certificate information to be used to generate the request.

  14. After the commands complete, do the following:

    • To view the log for the certificate request, click View Log.

    • To complete the certificate request, click Next.

  15. On the Certificate Request File page, do the following:

    • To view the generated certificate signing request (CSR) file, click View.

    • To close the wizard, click Finish.

  16. Copy the output file to a location where you can submit it to the public CA.

To create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL

  1. When the required template is available to the CA, use the following Windows PowerShell cmdlet to request the certificate:

    Copy Code 
    Request-CsCertificate –Action new -Type AccessEdgeExternal  –Output C:\<certfilename.txt or certfilename.csr>  –ClientEku $true –Template <template name>

    The default certificate name of the template provided in Communications Server 2010 is Web Server.

    Note:
    If your organization wants to support public IM connectivity with AOL, you must use Windows PowerShell instead of the Certificate Wizard to request the certificate to be assigned to the external edge for the Access Edge service. This is because the Communications Server 2010 Web Server template that the Certificate Wizard uses to request a certificate does not support client EKU configuration. Before using Windows PowerShell to create the certificate, the CA administrator must create and deploy a new template that supports client EKU.

To submit a request to a public certification authority

  1. Open the output file.

  2. Copy and paste the contents of the Certificate Signing Request (CSR)

  3. If prompted, specify the following:

    • Microsoft as the server platform.

    • IIS as the version.

    • Web Server as the usage type.

    • PKCS7 as the response format.

  4. When the public CA has verified your information, you will receive an e-mail message containing text required for your certificate.

  5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local computer.

To import the certificate for the external interface of the Edge Server

  1. Log on as a member of the Administrators group to the same Edge Server on which you created the certificate request.

  2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 3: Request, Install, or Assign Certificates, click Run again.

  3. On the Available Certificate Tasks page, click Import a certificate from a .p7b, pfx or .cer file.

  4. On the Import Certificate page, type the full path and file name of the certificate that you requested for the external interface of the Edge Server (or, click Browse to locate and select the file).

  5. If you are configuring an eEdge Server pool, then export the certificate with its private key, copy to the other edge servers, and import into the computer store on each.

To assign the certificate for the external interface of the Edge Server

  1. On each Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.

  2. On the Available Certificate Tasks page, click Assign an existing certificate.

  3. On the Certificate Assignment page, click External Edge Certifcate and select the Advanced Certificate Usages check box.

  4. On the Advanced Certificate Usages page, select all check boxes to assign the certificate for all usages.

  5. On the Certificate Store page, select the public certificate that you requested and imported for the external interface of the Edge Server.

    Note:
    If the certificate you requested and imported is not in the list, either verify that SN and SAN of the certificate meet all requirements for the certificate and, if you manually imported the certificate and certificate chain instead of using the preceding procedures, that the certificate is in the correct certificate store (the computer certificate store, not the user or service certificate store).

  6. On the Certificate Assignment Summary page, review your settings, and then click Next to assign the certificates.

  7. On the wizard completion page, click Finish.

  8. After using this procedure to assign the edge certificate, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the certificate is listed.

  9. If your deployment includes multiple Edge Servers, repeat this procedure for each Edge Server.