Configuring Certificates for Servers

Using Transport Layer Security (TLS) or mutual TLS (MTLS) requires a certificate to be used for authentication of inbound connections to the Front End Server and for some outbound connections from the Front End Server. The certificate that you select from the list is provided by the server in response to authentication challenges from clients or servers that send messages to this server.

If your deployment is a Standard Edition server or an Enterprise pool in the consolidated configuration, the certificate configuration applies to all pool server roles collocated on the computer, including the Web Conferencing and, if deployed, the A/V Conferencing. If your deployment is an Enterprise pool in an expanded configuration, you must configure the certificate for the Web Conferencing Server and A/V Conferencing Server individually. For details about configuring the certificate for those individual servers, see Configuring Certificates for Web Conferencing Serversand Configuring Certificates for A/V Conferencing Servers.

The appropriate certificates are usually set up using the Certificate Wizard during deployment. If you want to change the certificate, you can do either of the following:

You can use the Certificate Wizard to guide you through the process of requesting and assigning certificates to various Office Communications Server 2007 R2 server roles. (You can launch the Certificate Wizard from the Available taskspane in Office Communications Server 2007 R2 snap-in and in Computer Management for Standard Edition servers. You can also access it from the Office Communications Server 2007 R2 installation media).
If you want to assign a different certificate on an individual server, view a certificate, or delete a certificate, you can open the individual server's properties and configure the certificate by using the Certificatetab. The procedures in this section describe how to use the Certificatetab.

Any modifications you make are only applied to future connections—existing connections continue to use the old certificate as long as the connection continues.

Note:
If the default certificate does not have the name of the local server, clicking the Certificatetab of the properties sheet for the Front End Server generates a warning stating that making any changes to the certificate may mean that other clients or servers will be unable to connect to this server.

To view the certificate used for the Standard Edition server or Front End Server in an Enterprise pool

Open the Office Communications Server 2007 R2 snap-in.
In the console tree, expand the forest node, and then do one of the following:
- For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, click Properties, and then click Front End Properties.
- For a Standard Edition server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the Certificatetab, click Select certificate.
In the Select Certificatedialog box, in the list of certificates, click the certificate you want to view, and then click View Certificate.
In the Certificatedialog box, do the following:
- On the Generaltab, view the certificate name, to whom it is issued, who issued it, how long it is valid, and whether you have a privacy key corresponding to the certificate.
- On the Detailstab, view the certificate fields and their values, including the fields for any or all of the following: version 1 fields, extensions, critical extensions, and properties.
- On the Certification Pathtab, view the certification path and certificate status.

To change the certificate used for the Standard Edition server or Front End Server in an Enterprise pool

Open the Office Communications Server 2007 R2 snap-in.
In the console tree, expand the forest node, and then do one of the following:
- For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, click Properties, and then click Front End Properties.
- For a Standard Edition server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the Certificatetab, click Select certificate.
In the Select Certificatedialog box, in the list of certificates, click the certificate you want to use, click OK, and then click Yesto confirm.
If the subject name or any other setting on the new certificate other than the expiration date is different from the corresponding setting on the expiring certificate, restart the following Front End services: the Front End service, the IM Conferencing service, the Telephony Conferencing service, the Web Conferencing service, and the Audio/Video Conferencing service (if the Web Conferencing Server and A/V Conferencing Server are collocated on the Front End Server computer).

To delete the certificate used for the Standard Edition server or Front End Server in an Enterprise pool

Open the Office Communications Server 2007 R2 snap-in.
In the console tree, expand the forest node, and then do one of the following:
- For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, click Properties, and then click Front End Properties.
- For a Standard Edition server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the Certificatetab, click Delete certificate, and then click OK. This causes the certificate to no longer be assigned to the server for TLS or MTLS, but the certificate is not deleted from the computer.
Restart the following Front End services: Front End service, IM Conferencing service, Telephony Conferencing service, Web Conferencing service, and Audio/Video Conferencing service (if the Web Conferencing Server and A/V Conferencing Server are collocated on the Front End Server computer).