Script

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-15

Microsoft Communications Server 2010 supports the use of a single public certificate for Access and Web Conferencing Edge external interfaces + the A/V Authentication Edge internal interface. This leaves the Edge internal interface, which can use either a private certificate issued by an internal CA or a public certificate.

Requirements for the public certificate used for access and web conferencing Edge external interfaces, and the A/V authentication Edge internal interface, are:

• The certificate must be issued by an approved public certificate authority (CA) that supports Subject Alternate Names (SANs). For details, see http://support.microsoft.com/kb/929395.
  
  
• If the certificate will be used on an Edge pool, it must be created as exportable, with the same certificate used on each Edge server in the Edge pool
  
  
• The subject name of the certificate is the access Edge external interface FQDN or hardware load balancer VIP (for example, access.contoso.com)
  
  
• The subject alternate name (SAN) list contains the FQDNs of:
  
  
  • The access Edge external interface or hardware load balancer VIP (for example, access.contoso.com)
    
    

    Note:
    Even though the certificate subject name is equal to the access Edge FQDN, the SAN must also contain the access Edge FQDN because TLS ignores the subject name and uses the SAN entries for validation.

  • The web conferencing Edge external interface or hardware load balancer VIP (for example, webcon.contoso.com)
    
    
  • If using client auto-configuration, also include any SIP domain FQDNs used within your company (for example, sip.contoso.com, sip.fabrikam.com)
    
    

  Note:
  The order of the FQDN’s in the Subject Alternate Names list does not matter.

If you are deploying multiple, load-balanced Edge Servers at a site, the A/V authentication certificate that is installed on each Edge Server must be from the same CA and must use the same private key. This means that the certificate must be exportable, if it is to be used on more than one Edge Server. It must also be exportable if you request the certificate from any computer other than the Edge Server.

Requirements for the private (or public) certificate used for the Edge internal interface are:

• The certificate can be issued by an internal CA or an approved public certificate CA
  
  
• If the certificate will be used on an Edge pool, it must be created as exportable, with the same certificate used on each Edge server in the Edge pool
  
  
• The subject name of the certificate is the Edge internal interface FQDN or hardware load balancer VIP (for example, csedge.contoso.com)
  
  
• No subject alternate name list is required
  
  

If you are deploying multiple, load-balanced Edge Servers at a site, the A/V authentication certificate that is installed on each Edge Server must be from the same CA and must use the same private key. This means that the certificate must be exportable, if it is to be used on more than one Edge Server. It must also be exportable if you request the certificate from any computer other than the Edge Server.