OCS Certificate Using Custom Cert Template

Všechny reakce

• 24. ledna 2008 13:51

  Moderátor

   

   
  

  0

  When requesting certificate for OCS using an internal 2003 Enterprise CA, you shoulnd't be using the CA's certsrv website, but instead need to use the OCS Management Console.

   

  Right-click the server object in the tree and choose the Certificates option which will bring up the OCS Certificate Wizard.  The deployment guides cover these steps in detail.

   
• 24. ledna 2008 15:36

   

   
  

  0
  We cannot use the wizard either.  Using the wizard gives us no way to specify our custom template, and the request fails because it's trying to request the cert using the default WebServer template.

   

   
• 5. února 2008 3:21

   

   
  

  0

   

  OCS is not hard coded to use the default web server certificate template. It accepts manual as well.. but there are some requirements which a certificate should meet before it can be used... The certificate should have EKU as Server authentication, it should have the right subject name and the root CA should be installed on the local machine.

   

  And yes request a certificate using the Microsoft RSA SChannel Cryptographic Provider CSP (default)....

   

  If you still have issue, would appreciate if you provide detail of the template you are using!

   

   

  
  Ram K Ojha
  MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
  http://www.OCSPedia.com
  http://www.ITCentrics.com

   
• 13. února 2008 18:31

   

   
  

  0

  Hello Folks,

   

  I'm having a similar issue as well.

   

  Overall, I am trying to have the OCS Cert Wizard obtain a certificate with Server & Client EKU. However, when I use the Wizard I always receive a certificate generated from the Web Server Template. In my request I also select "Include client EKU in the Cert Request", but to me it seems that since the Web Server Template only has Server Auth EKU, I will not get the Client Auth EKU. Anyone have any documentation or links you can refer me to so I can get the Wizard to build my Server Cert using the Computer template for example? I haven't found anything yet.

  
  Thanks,
  
  Ken

   

   
• 13. února 2008 23:21

   

   
  

  0

   

  Hi,

   

  I experienced and reproduced this error too, in a lot of identically implementations on customer sites. Trying to use a duplicate of the default WEB Server certificate (also a duplicate without any changes) in an enterprise CA (for instance to configure a longer validity time than 2 years) always was denied with the known error message (see above). I don't believe this "it's not hardcoded". The denied request in the certificate authority shows a policy which assumes a certficate based on a template with the name "WEB Server". For me it's a very important issue because of the short default validity of the original WEB Server certificate which doesn't fit to any customer requirement...

   

  Constructive help would be fine;-)

   

  Thanks Michael

   
• 27. února 2008 2:49

   

   
  

  0

  Same issue for me. Somehow requests created by the OS 2007 cert wizard slip the name "Webserver" into the name making the request fail if the CA does not have a template for "Webserver" to issue

   

  On my CA, that default webserver template has been superseded by a duplicate with some properties adjusted and a new name to distinguish it from the old version.

   

  When I use the wizzard to directly submit request to CA, the following error is logged on CA.

   

  Event Type: Warning
  Event Source: CertSvc
  Event Category: None
  Event ID: 53
  Date:  2/26/2008
  Time:  6:46:55 PM
  User:  N/A
  Computer: <Name of CA Server>

  Description:
  Certificate Services denied request 16448 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392).  The request was for XXXXXXXXX.  Additional information: Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer.

   

  When I save the request, then submit it through web interface of CA selecting MTLS template (A template I setup based on following instructions while installing LCS2005 that has Server Authentication AND Client Authentication) the following error appears;

   

  Event Type: Warning
  Event Source: CertSvc
  Event Category: None
  Event ID: 53
  Date:  2/26/2008
  Time:  6:50:56 PM
  User:  N/A
  Computer: <Name of CA Server>
  Description:
  Certificate Services denied request 16449 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392).  The request was for XXXXXXXX.  Additional information: Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer/MTLS.

   

  I'll probably just have to go and *NOT* use the wizzard and use my MTLS template with proper set of SAN'sto create cert.

  
  Andre.

   
• 27. února 2008 14:21

   

   
  

  0

   

  We're having the same issue with our implementation, not sure how to get around it.

   

  One thing worth noting, in the OCS Deployment Wizard under Step 3 > Configure Certificate > Help it is noted:

   

   Note   Certificates for Office Communications Servers must be created using a Web Server certificate template. Certificates created using custom certificate templates are not supported.

   

  So not really sure if there is a way around using the default Web Server template.

   
• 27. února 2008 14:34

   

   
  

  0

  If the product team could just do 1 thing; Properly describe the exact requirements of the certificate so that those who know what they're doing have a way to work around any limitations of the "wizzards". (It's like they have gotten so many support calls from people with certificate issues, that they are now frantically trying to hide what really needs to be done in wizzards that don't always work).

  I am sure, that with the correct combination of Key usage, CN and SAN's you can create a cert that works.

   

  While putting things in suggestion box: OCS install also seems to "claim" / assume it can do what it choses to  the Default web site.

   
• 28. února 2008 18:09

   

   
  

  0
  I believe the cert requirements, unless they have changed since this was published on TechNet, are listed at:
  
  http://technet.microsoft.com/en-us/library/bb663572.aspx
  
  <snip>
  

  Table 4: MTLS Certificate Configuration Requirements

  Certificate Field	Value
  Version	3
  Template Duplicated	Web Server
  EKU	Server Authentication (1.3.6.1.5.5.7.3.1)
  Private Key	Enabled for Export
  Key Usage	Digital Signature, Key Encipherment (a0)

   

  </snip>
  
  Even though the documentation is specifically for CWA, I believe this is also the cert requirements for OCS 2007 as well.
  
  Unless support requirements have changed, you are not required to use the cert wizard. I believe you can use the CA Web enrollement feature for the internal Windows Server 2003 Enterprise CA, subject to security best practices.
  
   
• 9. dubna 2008 14:57

   

   
  

  0
  For the integration with Avaya AES (Remote Call Controll middleware server) to work, both your OCS server and the AES server needs a new certificate, that supports both server authentication and server authentication. In the default certificate templates' list, there is NO template that supports both server authentication and client authentication. So you need to create (in fact, duplicate from the existing Web server template) a new modifyed template. Into this template, you add the client authentication. After it, on the CA's MMC console, you "activate" this new template. After that, you should be able to issue certificates based on this new template.
  
  Note 1: to "activate" this new template, you have to have Windows Server 2003 Enterprise edition SKU running under the CA computer. Windows Server 2003 Standard edition cannot issue certificates based on this modifyed template. (dont be confused, as the win 2003 standard edition is still an Enterprise-type of CA (which means it is AD integrated, only AD-integrated CA use certificate templates). Beware, that even with Standard edition windows CA, first step (duplicating the template) suceeds, but after that you wont see the new template when you try to activate it).
  
  I am facing the issue, that I cannot see other certificate templates on the web page of the CA, only User and EFS. Not even the default Web Server template (and of course not the new created template). How can I make them available / visible on the Advanced Certificate Request page? As I can remember, earlier it was a problem when I didnt log in with Domain admin user, but in this case I am definitely logged in with the Domain admin account.
  
   
• 10. dubna 2008 11:36

   

   
  

  0
  I have to correct myself, it WAS an authentication issue, the IIS setting for the /certsrv folder was wrong, it contained only anonymous access, not windows integrated one. Having only windows integrated authentication, the webpage asks for credentials when connecting to the /certsrv webpage, and after domain admin credentials are provided, all the missing templates are available.
  
  Now I am facing with the next issue (you musnt say "I fixed the issue" until you really finished the task):
  
  I sent the request in .TXT file, but the request is rejected with the following error: Denied by policy module 0x80094802. the request specfifies conflicting certificate templates: WebServer/WebServerPlusClientAuthentication.
  
  Now I simply cannot imagine what kind of additional problems may arise during this next-next-finish style simple task...
  
  Update: was fixed, by not checking the also include client EKU in the request -> the modified template put itself the client EKU into the cert, and everything is fine.
  
   
• 8. srpna 2008 14:39

   

   
  

  0

   

  Richard,

  I'm having the exact same issue with my certificate request being denied  by the policy error...

  The only difference is, I'm using the '.REQ' file format when submitting it to the CA using CertREQ.exe or even manually importing the .REQ file within the Certificate Authority' console.

   

  If I have any updates I'll follow-up with a post.

   

  Good luck - Let me know if you find out why its being denied.

   

  BTW, Is you certificate template 'subject name' automatically generated or manually entered?

  I imagine its manual considering your using the CertSRV site.

   

  Thanks!

  -Matt

   
• 8. srpna 2008 14:49

   

   
  

  0
  Hi,
  
  I have already updated my previous post: my solution was to NOT checking the "'include client EKU in the request", as the template put that EKU automatically during the 2nd step (cert enroll webpage)
  
   
• 20. srpna 2008 20:07

   

   
  

  0

  Hi Everyone,

   

  I am working with my AES to CM to OCS implementation right now! I am trying to import the certifcate I created in my CA into AES and keep getting.

  PKCS#12 file creation failed. Chain of trust not found.

  error any thoughts?

   
• 21. října 2008 20:15

   

   
  

  0

  When you submitted the request you needed to alter the header and trailer to read BEGIN PKCS7 and END PKCS7. If you have a PKCS12 cert you need to convert it using openssl.

   

  'openssl pkcs12 -clcerts -nokeys -in <file>.p12 -out <newname>.pem'

   

  I am also hearing that you need to uncheck "Establish Chain of Trust" although I first loaded the trust chain and had no problems loading a cert with this checked.

   

   
• 20. listopadu 2008 21:49

   

   
  

  0

  Hey,

   

  I got my cert to import the issue was getting the client and server certificate.

   

  Thanks

   

   
• 17. března 2009 11:00

   

   
  

  0
  I had this same issue and I think solved it. There are two problems (I think) regarding OCS and custom certificate templates (or non windows CA Webserver certificates):
  1) One problem has to do with how the wizards generate the request: they always look for the "Webserver" template (this is expected; What other way could they make your life easier if they don't look for a particular template? If they asked you for the template 90% of the time users will not know what to answer, defeating the purpose of wizards :). This applies to the option "Create a new certificate" as well as the option "Process an offline certificate and import the certificate" (PKCD #7 file creation).
  2) The other problem (BUG in my opinion) is that when we select the third option: "Assign an existing certificate", the wizard grabs the Personal store for the Local Computer and FILTERS THE CERTIFICATES BY THE TEMPLATE.  So only certificate with Webserver as the tamplate are eligible.
  
  So the only way to select a non-Webserver template created certificate for OCS is to:
  1) Export the certificate from wherever you have it (remember to select export privet key ;) to a file (for example a .pfx file)
  2) Select the option "Import a certificate from a .pfx file in the wizard.
  
  Finish the wizard and you will have it. I hope it works for you too.
  
  Regards,
  
  daniel

  • Navržen jako odpověď Danielu 17. března 2009 11:00
  •