External Live meetings want our internal CA cert? RRS feed

  • Question

  • We are having an issue where external live meeting attempts are failing from certificate issues. Meetings can be accessed if we import our internal CA certificate into trusted root auth container of our remote test PC. We are using externally issued certificates on the access edge external and web conferencing external interfaces so we are not sure why the internal cert is needed.

    sip domain: company.local
    external FQDN: meetings.company.com

    internal edge interface: Internally issued certificate from our enterprise CA using edge servers FQDN
    access edge external interface: Godaddy issued certificate to sip.company.com
    web conferencing external interface: Godaddy issued certificate to webconf.company.com

    the error recieved when joining a meeting from an external PC is 'an error occured verifying the server's certificate. For more information, please contact the server administrator.' If we import our internal CA chain into the PC it works fine, but we need this to work for anonymous external users. Thank you in advance for any ideas.

    Monday, May 4, 2009 3:24 PM

All replies

  • Yes, you need to use Public Certificates instead of Internal Certs
    This is a support page for all officially supported Public Certificate Vendors
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Monday, May 4, 2009 8:55 PM
  • Hi,

    we have a similar issue.

    We are hosting several domains.

    Our external certificates on the Edge (Access,Web,A/v) are issued by GoDaddy.
    (sip.ourprimarydomain.com, meeting.ourprimarydomain.com, av.ourprimarydomain.com)

    Livemeeting access from external is possible for every user that has an account on our OCS server.

    Anonymous users can access LM planned by users with a sip address from our primary domain (user@ourprimarydomain.com)

    If a meeting with anonymous is planned from another domains user that is hosted by us it will fail (user@otherdomain.com)
    (workaround: the anonymous user has to enter sip.ourprimarydomain.com as external server in the LM console)

    As we are hosting several customers and we have a 3rd party cert we are unable to add every domain as SAN entry to our external certs.
    But we made all the necessary entries in our external DNS (sip.otherdomain.com, _sipinternaltls._tcp.otherdomain.com, etc)

    Does anyone of you have a clue how to configure this correclty without the need for the anonymous user to configure anything?
    Tuesday, May 5, 2009 8:02 AM
  • Deli, thank you for the reply. We are using externally assigned certs from godaddy on our external interface services. When an external live meeting user attempts to connect though they require our internal root ca chain installed or the meeting will not work. Event viewer logs show that Livemeeting cannot connect to our front end server due to not trusting the certificate. 

    It is our understanding that the front end server does not require an externally issued certificate. And that the edge servers public certificate will create the trust with the live meeting client and then create a trust to the front end server using the internal certificates.  
    Wednesday, May 6, 2009 1:10 PM
  • GoDaddy is not on the list of supported certificate vendors. 

    DigiCert certificates work without issue. 

    I see many posts about GoDaddy certs & troubles, it's not worth the hassle to save a little money.
    Wednesday, May 6, 2009 1:16 PM
  • Your understanding about internal vs external certificates is correct.
    But you must make sure that your External cert is trusted by everyone, its safer to have one on the supported list
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Sunday, May 10, 2009 8:08 PM