Certificate Requirements for Internal Servers

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-18

Internal servers that are running Microsoft Communications Server 2010 and that require certificates include Standard Edition server, Enterprise Edition Front End Server, A/V Conferencing Server, Mediation Server, and Director. The following table shows the certificate requirements for these servers. You can use the Microsoft Communications Server 2010 certificate wizard to request these certificates.

Although an internal Enterprise certification authority (CA) is recommended for internal servers, you can also use a public CA. For a list of public CAs that provide certificates that comply with specific requirements for unified communications certificates and have partnered with Microsoft to ensure they work with the Communications Server Certificate Wizard, see article Microsoft Knowledge Base 929395, "Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007," at http://go.microsoft.com/fwlink/?LinkId=140898.

The following tables show certificate requirements by server role for Enterprise pools and Standard Edition servers. All these are standard web server certificates, private key, non-exportable.

Note that server enhanced key usage (EKU) is automatically configured when you use the certificate wizard to request certificates.

Certificates for Standard Edition Server

Certificate	Subject Name/ Common Name	Subject Alternate Name	Example	Comments
Default	FQDN of the server	If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs. If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then you also need entries for sip.sipdomain (for each SIP domain you have).	SN=SE1.contoso.com; SAN=SE1.contoso.com If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then also SAN=sip.contoso.com; SAN=sip.fabrikam.com	On Standard Edition Server, the server FQDN is the same as the pool FQDN. The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternate Name.
Web Internal	FQDN of the server	Each of the following: Internal web FQDN (which is the same as the FQDN of the server) Meet Simple URL(s) Dial-in Simple URL Admin Simple URL	SN=SE1.contoso.com; SAN=SE1.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com;	Internal web FQDN cannot be overwritten in Topology Builder. If you have multiple Meet simple URLs, you must include all of them as SANs.
Web external	FQDN of the server	Each of the following: External Web FQDN Dial-in Simple URL Admin Simple URL	SN=SE1.contoso.com; SAN=WebExt1.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com;	If you have multiple Meet simple URLs, you must include all of them as SANs.

Certificate

Subject Name/ Common Name

Subject Alternate Name

Example

Comments

Default

FQDN of the server

If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs.

If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then you also need entries for sip.sipdomain (for each SIP domain you have).

SN=SE1.contoso.com; SAN=SE1.contoso.com

If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then also SAN=sip.contoso.com; SAN=sip.fabrikam.com

On Standard Edition Server, the server FQDN is the same as the pool FQDN.

The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternate Name.

Web Internal

FQDN of the server

Each of the following:

Internal web FQDN (which is the same as the FQDN of the server)
Meet Simple URL(s)
Dial-in Simple URL
Admin Simple URL

SN=SE1.contoso.com; SAN=SE1.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com;

Internal web FQDN cannot be overwritten in Topology Builder.

If you have multiple Meet simple URLs, you must include all of them as SANs.

Web external

FQDN of the server

Each of the following:

External Web FQDN
Dial-in Simple URL
Admin Simple URL

SN=SE1.contoso.com; SAN=WebExt1.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com;

If you have multiple Meet simple URLs, you must include all of them as SANs.

Certificates for Front End Server in Enterprise Pool

Certificate	Subject Name/ Common Name	Subject Alternate Name	Example	Comments
Default	FQDN of the server	If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs. If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then you also need entries for sip.sipdomain (for each SIP domain you have).	SN=FE1.contoso.com; SAN=FE1.contoso.com If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then also SAN=sip.contoso.com; SAN=sip.fabrikam.com	The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternate Name.
Web Internal	FQDN of the server	Each of the following: Internal web FQDN (which is the same as the FQDN of the server) Meet Simple URL(s) Dial-in Simple URL Admin Simple URL	SN=FE1.contoso.com; SAN=FE1.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com;	Internal web FQDN cannot be overwritten in Topology Builder. If you have multiple Meet simple URLs, you must include all of them as SANs.
Web external	FQDN of the server	Each of the following: External Web FQDN Dial-in Simple URL Admin Simple URL	SN=FE1.contoso.com; SAN=WebExt1.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com;	If you have multiple Meet simple URLs, you must include all of them as SANs.

Certificate

Subject Name/ Common Name

Subject Alternate Name

Example

Comments

Default

FQDN of the server

If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs.

If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then you also need entries for sip.sipdomain (for each SIP domain you have).

SN=FE1.contoso.com; SAN=FE1.contoso.com

If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then also SAN=sip.contoso.com; SAN=sip.fabrikam.com

The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternate Name.

Web Internal

FQDN of the server

Each of the following:

Internal web FQDN (which is the same as the FQDN of the server)
Meet Simple URL(s)
Dial-in Simple URL
Admin Simple URL

SN=FE1.contoso.com; SAN=FE1.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com;

Internal web FQDN cannot be overwritten in Topology Builder.

If you have multiple Meet simple URLs, you must include all of them as SANs.

Web external

FQDN of the server

Each of the following:

External Web FQDN
Dial-in Simple URL
Admin Simple URL

SN=FE1.contoso.com; SAN=WebExt1.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com;

If you have multiple Meet simple URLs, you must include all of them as SANs.

Certificates for Director

Certificate	Subject Name/ Common Name	Subject Alternate Name	Example
Default	FQDN of the server	FQDN of the Director, FQDN of the Director pool If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then you also need entries for sip.sipdomain (for each SIP domain you have).	SN=DR1.contoso.com; SAN=DR1.contoso.com SAN=DIRECTORPOOL.contoso.com If this Director pool is the auto-logon server for clients and strict DNS matching is required in group policy, then also SAN=sip.contoso.com; SAN=sip.fabrikam.com
Web Internal	FQDN of the server	Each of the following: Internal web FQDN (which is the same as the FQDN of the server) Meet Simple URL(s) Dial-in Simple URL Admin Simple URL	SN=DR1.contoso.com; SAN=DR1.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com;
Web External	FQDN of the server	Each of the following: External Web FQDN Dial-in Simple URL Admin Simple URL	SN=DR1.contoso.com; SAN=WebExt1.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com;

Certificate

Subject Name/ Common Name

Subject Alternate Name

Example

Default

FQDN of the server

FQDN of the Director, FQDN of the Director pool

If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, then you also need entries for sip.sipdomain (for each SIP domain you have).

SN=DR1.contoso.com; SAN=DR1.contoso.com SAN=DIRECTORPOOL.contoso.com

If this Director pool is the auto-logon server for clients and strict DNS matching is required in group policy, then also SAN=sip.contoso.com; SAN=sip.fabrikam.com

Web Internal

FQDN of the server

Each of the following:

Internal web FQDN (which is the same as the FQDN of the server)
Meet Simple URL(s)
Dial-in Simple URL
Admin Simple URL

SN=DR1.contoso.com; SAN=DR1.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com;

Web External

FQDN of the server

Each of the following:

External Web FQDN
Dial-in Simple URL
Admin Simple URL

SN=DR1.contoso.com; SAN=WebExt1.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com;

If you have a standalone A/V Conferencing Server pool, the A/V Conferencing Servers in it each need the following certificates. (If you collocate A/V Conferencing Server with the Front End Servers, the certificates listed in the “Certificates for Front End Server in Enterprise Pool” table earlier in this topic are sufficient.

Certificates for Standalone A/V Conferencing Server

Certificate	Subject Name/ Common Name	Subject Alternate Name	Example
Default	FQDN of the pool	N/A	SN=AVPOOL.contoso.com;

If you have a standalone Mediation Server pool, the Mediation Servers in it each need the following certificates. (If you collocate Mediation Server with the Front End Servers, the certificates listed in the “Certificates for Front End Server in Enterprise Pool” table earlier in this topic are sufficient.

Certificates for Standalone Mediation Server

Certificate	Subject Name/ Common Name	Subject Alternate Name	Example
Default	FQDN of the pool	FQDN of the pool.	SN=MEDPOOL.internal.example.com; SAN= MEDPOOL.internal.example.com

Certificates for Survivable Branch Appliance

Certificate	Subject Name/ Common Name	Subject Alternate Name	Example
Default	FQDN of the appliance	SIP.<sipdomain> (need one entry per SIP domain)	SN=SBA1.internalexample.com; SAN=sip.contoso.com; SAN=sip.fabrikam.com