Sunday, April 26, 2009

OCS 2007 R2 Edge Certificate Wizard gotcha

During a recent customer deployment of OCS 2007 R2, we came across a small issue that might be relevant for some of you.

We were using the OCS 2007 R2 Edge Server setup wizard to request certificates for the external interfaces. This particular customer uses GoDaddy for their certificates. We created an offline request and pasted the CSR into GoDaddy's request interface - and were promptly told that the CSR was not valid.

What we discovered was this: The customer's OCS R2 Edge server was running Windows Server 2008. When we created the certificate request using the setup wizard, the -----BEGIN CERTIFICATE REQUEST----- header and -----END CERTIFICATE REQUEST----- trailers were not inserted into the file. This was what threw the error when we pasted the CSR into GoDaddy's interface.

To solve this and be able to get our certificate from GoDaddy, we simply pasted correctly formatted header and trailer lines into the CSR, which was then accepted as a proper CSR file.

If OCS R2 Edge is deployed on Windows Server 2003 R2, the certificate request header and trailer is inserted into the request file generated by the setup wizard, so the issue looks to be specific to deployments on Windows Server 2008.

It is worth noting that if you use IIS on Windows Server 2008 to create an SSL certificate request, the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines are included in the generated CSR file - so "normal" IIS certificate requests created on Windows Server 2008 are not affected.

4 comments:

Unknown said...

Hi Dennis, i'm gianluca from italy. I had purchased a godaddy UCC (they said for 5 domain) for about 80 € , but we have no chance to create 5 different cert with 5 different SN (and not SAN). shall we purchase 5 different certificate ?

Unknown said...

Hi Gianluca,

You buy one certificate with 5 names, not five certificates with five names.

/Dennis

Joachim Farla said...

Good article. We had the same issues. Other thing is that GoDaddy can't certify the S/N with *.local or not internet domains. The interface is not blocking you.

Josh Lynch said...

What about for a simple 1 server Enterprise Setup for internal im and conferencing? Can I just setup a normal (non-ucc) cert through godaddy?

I thought you could.

It seems like its not recognizing my sip.domain.com in the cert.
In communicator, when trying to sign on, it says ""There was a problem verifying the certificate from the server."

When I created the cert request in MOCS 2k7 r2, it asks for the name which I put the FQDN of the ent. pool. poolname.domain.com

but for the Alternate name for SIP, i put our sip.domain.com.

I see others on the net getting it to work with a cheap 29.99 normal ssl cert through godaddy. IF I can get it working, is there room for growth with this cert?

And then in event log, i get this:
Event Type: Error
Event Source: Communicator
Event Category: None
Event ID: 4
Date: 7/1/2009
Time: 10:12:58 AM
User: N/A
Computer: CET-CTX-062
Description:
Communicator could not connect securely to server sip.cetrom.net because the certificate presented by the server did not match the expected hostname (sip.cetrom.net).

Resolution:
If you are using manual configuration with an IP address or a NetBIOS shortened server name, a fully-qualified server name will be required. If you are using automatic configuration, the network administrator will need to make sure that the published server name in DNS is supported by the server certificate.