locked
Unable to Create Certificates on the Edge Server RRS feed

  • Question

  • I have configured an edge server in a single server topology.  The install, setup, and activate all completed with no errors.  I am now at the point of create the certificates that the edge server will be using for the interal and external connections.  Everytime I use the certificate wizard on the edge server it fails.  The same is true if I try to create new certificates, or use existing certificates. 

     

    Is their a manual procedure for creating the certificates needed for the edge server? 

     

    Regards,

    Eugene

    Wednesday, March 28, 2007 11:34 PM

Answers

  • That is bizarre (technical term)...I am not sure an un-install is required, but if you have the time... Smile Don't forget that the wizards are only there to make things easier; if you understand the certificate process and can make the certificate using an offline request file, try using the 2005sp1 SDK tool and making the request using it. You would then need to lauch the computer management and manually add the certificates using the property pages found there (of course after the certificates are installed in the local computer certificate store).
    Thursday, March 29, 2007 10:43 PM

All replies

  • You could use the old certreq tool from the LCS 2005 sp1 resource kit - when you say the wizard fails, does the application actually bomb-out? What errors are you seeing?
    Thursday, March 29, 2007 7:10 PM
  • Brian,

     

    Once again thanks for your reply.  It does not bomb out, but allows the wizard to complete but indicates that it has failed.  I am not able to locate an log files for which I can review.  I am thinking that it might be an permissions issue, but I could be wrong.  Your help is appreciated.

     

    Regards,

    Eugene

    Thursday, March 29, 2007 8:29 PM
  • Hi Eugene - the certificate wizard is a helpful tool but definately not a requirement. I would guess from what you have said that you have selected to request the certificate immediately and the system is unable to communicate (access, restrictions, LAN, etc.) with the cert store. Assuming you are creating the certificates for an internal PKI, you can always run the wizard and select to perform the request offline. That will create a cer file which you would then be able to import into your certificate store.
    Thursday, March 29, 2007 8:44 PM
  • Brian - You are correct in regards to attempting to have the system repond with the certificate immediately, however even with I try to create a certificate for an offline request I have the same issue.  Just to make sure that I have not missed anything I am going to remove and reinstall the edge server.  Partly because I have tried so many things that I would like to start fresh.  Please let me know if you have any thoughts.

     

    Thanks,

    Eugene

    Thursday, March 29, 2007 9:51 PM
  • Brian - I am actually having the same problem if I attempt to do an offline request as well.  At this point I have tried so many things that I am going to take a couple of steps back and remove and reinstall the edge server.  Please let m know if you have any thoughts.

     

    Thanks,

    Eugene

    Thursday, March 29, 2007 9:53 PM
  • That is bizarre (technical term)...I am not sure an un-install is required, but if you have the time... Smile Don't forget that the wizards are only there to make things easier; if you understand the certificate process and can make the certificate using an offline request file, try using the 2005sp1 SDK tool and making the request using it. You would then need to lauch the computer management and manually add the certificates using the property pages found there (of course after the certificates are installed in the local computer certificate store).
    Thursday, March 29, 2007 10:43 PM
  • Brian, 

     

    I went ahead and did the uninstall.  After all it is just an edge server and did not take all that long.  Although it is the edge server that is holding things up for me at this point.  I tried a server things to get a valid certificate in the system but was not having any success.  I have now tried to use the 2005SP1 Cert Utility and have created a key that I expected to work fine.  However, after importing the key to the local computer, making sure that the CA is a in the root trust and I have selected the certificate manually under computer management I get the following error:

     

    Office Communications Server snap-in can not save some or all of the settings. 

     

    It appears that if I change anything anything I can apply/save the settings, however if I do anything with any of the four features that I can apply a certificate to I am not able to apply/save the settings.

     

    I seem to recall having a simular issue with LCS 2005 SP1 but do not recall the solution.  It could possible have something to do with the FQN that I am using either internal or external, and the Subject Names in the certificate.  I have the internal FQDN set to the pool name of the Office Communications Server, and the External set to sip.<domain>.com. 

     

    Can you tell me or are you aware of any dependencies that may exist that would cause the issue that I am seeing?

     

    Once again thanks for your help.

     

    Eugene

    Friday, March 30, 2007 3:31 AM
  • When you associate the certificate, does it accept it ok? Are there any warnings regarding the name? On the edge server, there is no pool name per se. However, the internal name should be a resolveable DNS name while the external should be the actual computer FQDN and set in DNS as such. So if you want your external name to be sip.domain.com your computer name is best set to sip.domain.com as well (set in the computer properties).

     

    The exact issue I have not seen personally - do you have any event logs recorded at any time?

    Monday, April 2, 2007 6:16 PM
  • I apologize for my absense as we have several projects going on at the same time. 

     

    I have overcome the accepting of the certificates on the edge server and am now working on the validation of the services on the edge server and the OCS server.  I have some failures that I am currently working through. 

     

    I know that this is not a solution but in-order to correc the issue I was having I wipped the server and installed it clean.  It appears that it may be something that I did in the process of getting it to work that was causing the issue. 

     

    In regards to the naming of the system I just want to make sure that I am on the right track as this seems to be very trivial.  I have the compter name set to server with a FQDN of server.domain.com where domain.com is my domain name.  I have a DNS server that forwards DNS request that has a record of server.domain.com which resolves to the servers private address.  It appears that from what you are saying that I should have the public address resolve to server.domain.com and use whatever such as internalsip.domain.com where I have a record for internalsip in DNS that resolves to the private address.

     

    Anyhow, I just want to make sure as it seems that I am good, but may just be causing myself some confusion in regards to the names and setting up the certificates with the right names.

     

    Thanks again for your help,

     

    Regards,

    Eugene

    Friday, April 6, 2007 12:53 AM
  •  

    Hi eugenecjr,

    Can you let us know the status of your issue? Did you figure out a solution? Would you share it with the forum? If not, please let us know ASAP.

    Thanks!

    Friday, April 13, 2007 6:34 AM
  • I apologize for my absence.  I have been working on several projects at one time.

     

    I am currently still have a problems with the certificates, however I believe it may be an issue in which I am not properly naming them in regards to the Internal FQDN and the External FQDN of the Edge server vs. the name required to access the OCS pool. 

     

    I am now able to create the certificates needed such that this thread appears to no longer apply.

     

    Regards,

    Eugene

    Wednesday, May 2, 2007 7:18 PM