Topic Last Modified: 2010-07-18
A single certificate is required on the internal interface of each Edge Server. Certificates for the internal interface can be issued by an internal Enterprise CA or a public CA. To save on the expense of using public certificates, , if your organization has an internal CA deployed the certificate for the internal interface should be issued by the internal CA. You can use an internal Windows Server 2008 CA or Windows Server 2008 R2 CA for creating these certificates.
For details about this and other certificate requirements, see Certificate Requirements for External User Access.
To set up certificates on the internal edge interface at a site, use the procedures in this section to do the following:
- Download the certification authority (CA) certification chain
for the internal interface to each Edge Server.
- Import the CA certification chain for the internal interface,
on each Edge Server.
- Create the certificate request for the internal interface, on
one Edge Server, called the first Edge Server.
- Import the certificate for the internal interface on the first
Edge Server.
- Import the certificate on the other Edge Servers at this site
(or deployed behind this load balancer).
- Assign the certificate for the internal interface of every Edge
Server.
If you have more than one site with Edge Servers (that is, a multiple-site edge topology), or separate sets of Edge Servers deployed behind different load balancers, you need to follow these steps for each site that has Edge Servers, and for each set of Edge Servers deployed behind a different load balancer.
Note: |
---|
The steps of the procedures in this section are based on using
a Windows Server 2008 Enterprise CA or a Windows Server 2008 R2 CA
to create a certificate for each Edge Server. For step-by-step
guidance for any other CA, consult the documentation for that CA.
By default, all authenticated users have rights to request
certificates. The procedures in this section are based on creating certificate requests on the Edge Server as part of the Edge Server deployment process. It is possible to create certificate requests using the Front End Server (to complete the certificate request early in the planning and deployment process, before starting deployment of the Edge Servers). To do this, you must ensure that the certificate you request is exportable. The procedures in this section describe the use of a.cer file for the certificate. If you use a different type of file, modify these procedures as appropriate. |
To download the CA certification chain for the internal interface
-
With your Enterprise root CA offline and your Enterprise subordinate (that is, issuing) CA Server online, log on to an Communications Server 2010 server in the internal network (that is, not the Edge Server) as a member of the Administrators group.
-
Click Start, click Run, type
https://<name of your Issuing CA Server>/certsrv
(https, not http, is required if you are using a Windows Server 2008 or Windows Server 2008 R2 Enterprise CA), and then click OK. -
Under Select a task, click Download a CA certificate, certificate chain, or CRL.
-
Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.
-
In the File Download dialog box, click Save.
-
Save the .p7b file to the hard drive on the server, and then copy it to a folder on each Edge Server.
Note: The .p7b file contains all of the certificates that are in the certification path. To view the certification path, open the server certificate and click the certification path.
To import the CA certification chain for the internal interface
-
On each Edge Server, open the Microsoft Management Console (MMC) by clicking Start, clicking Run, typing mmc in the Open box, and then clicking OK.
-
On the File menu, click Add/Remove Snap-in, and then click Add.
-
In the Add Standalone Snap-ins box, click Certificates, and then click Add.
-
In the Certificate snap-in dialog box, click Computer account, and then click Next.
-
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
-
Click Close, and then click OK.
-
In the console tree, expand Certificates (Local Computer), right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.
-
In the wizard, in File to Import, specify the filename of the certificate (the name of that you specified when you downloaded the CA certification chain for the internal interface in the previous procedure).
-
Repeat this procedure on each Edge Server.
To create the certificate request for the internal interface
-
On one Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run.
Note: If you have multiple Edge Servers in one location in a pool, you can run the Communications Certificate Wizard on any one of the Edge Servers.
After you run Step 3 the first time, the button changes to Run again, but a green check mark (indicating successful completion of the task) is not displayed until all require certificates have been requested, installed, and assigned. -
On the Available Certificate Tasks page, click Create a new certificate request.
-
On the Certificate Request page, click Edge Internal.
-
On the Delayed or Immediate Requests page, click Prepare the request now, but send it later.
-
On the Certificate Request File page, type the full path and file name to which the request is to be saved (for example, c:\cert_internal_edge.cer).
-
On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, select the Use alternative certificate template for the selected Certificate Authority check box.
-
On the Name and Security Settings page, do the following:
- In Friendly name, type a friendly name for the
certificate (for example, Internal Edge.
- In Bit length, specify the bit length (typically, the
default of 2048). High bit lengths offer more security, but
have a negative impact on speed.
- If the certificate needs to be exportable, select the Mark
certificate private key as exportable check box.
- In Friendly name, type a friendly name for the
certificate (for example, Internal Edge.
-
On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate).
-
On the Geographical Information page, specify the location information.
-
On the Subject Name/Subject Alternate Names page, the information to be automatically populated by the wizard is displayed. If additional SANs are needed, you specify them in the next step.
-
On the Configure Additional Subject Alternate Names page, specify any additional SANS that are required.
-
On the Request Summary page, review the certificate information to be used to generate the request.
-
After the commands complete, do the following:
- To view the log for the certificate request, click View
Log.
- To complete the certificate request, click Next.
- To view the log for the certificate request, click View
Log.
-
On the Certificate Request File page, do the following:
- To view the generated certificate signing request (CSR) file,
click View.
- To close the wizard, click Finish.
- To view the generated certificate signing request (CSR) file,
click View.
-
Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it is available for import.
To import the certificate for the internal interface
-
Log on to the Edge Server on which you created the certificate request as a member of the local Administrators group.
-
In the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.
After you run Step 3 the first time, the button changes to Run again, but a green check mark (indicating successful completion of the task) is not displayed until all require certificates have been requested, installed, and assigned.
-
On the Available Certificate Tasks page, click Import a certificate from a .P7b, .pfx or .cer file.
-
On the Import Certificate page, type the full path and file name of the certificate that you requested and received for the internal interface of this Edge Server (or, click Browse to locate and select the file.
-
If you are importing certificates for other members of the pool a certificate containing a private key, select the Certificate file contains certifcate’s private key check box and specify the password.
-
If your deployment includes multiple edge servers, export the certificate along with its private key, copy it to the other edge servers, and then for each Edge Server import it and assign it as described above. Repeat this procedure .
To assign the internal certificate on the Edge Servers
-
On each Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.
-
On the Available Certificate Tasks page, click Assign an existing certificate.
-
On the Certificate Assignment page, in the drop-down list box, select Edge Internal.
-
On the Certificate Store page, select the certificate that you imported for the internal edge (in the previous procedure).
-
On the Certificate Assignment Summary page, review your settings, and then click Next to assign the certificates.
-
On the wizard completion page, click Finish.
-
After using this procedure to assign the internal edge certificate, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the internal edge certificate is listed.
-
If your deployment includes multiple Edge Servers, repeat this procedure for each Edge Server.