SAN Certificates with OCS 2007 R2 RRS feed

  • Question

  • Hi,
    I have a question I am not able to get a SAN working with OCS 2007 R2. I am looking through the documenation and I see that they say this:

    Each Edge Server requires two certificates on the external interface—one for the Access Edge service, and one for the Web Conferencing Edge service. (The A/V Edge service does not require a certificate.) Each of these certificates must have a subject name that matches the external FQDN of that edge service on that server.

    This means that a SAN will no longer work and just wanted to see if anyone is using them!!

    Saturday, February 14, 2009 1:48 AM

All replies

  • A single SAN certificate will work, but I don't believe it's a supported config.

    It's much cheaper anyway to just have 2 single-name certs as the documentation states. 1 for Access Edge and 1 for the Web Conferencing Edge.
    Monday, February 16, 2009 10:22 PM
  • 2 certificates is the way to go.
    OCS EDGE config only uses the first SAN entry in the list!
    - Belgian Exchange Community : http://www.pro-exchange.be -
    Monday, February 16, 2009 11:27 PM
  •  I've always created Edge certs with SANs, particularly for the Access Edge, it's been a virtual necessity.  On the Access Edge the cert has to have the FQDN of the Access Edge as it's being referenced over the internet.  It also has to have an entry for sip.domain.com for each SIP domain that it is going to allow to traverse it to the OCS pools.  SIP.domain.com is the fallback if the SRV records are not available.

    So typically, my Access Edge is going to have a SAN with at least two entries:

    FQDN of the Access Edge; SIP.domain.com

    If what you are saying about the Edge is true that it will use the first SAN entry then you would never be able to set your Edge up to be referenced as SIP.domain.com for multiple SIP domains. So, given this, unless you don't want to list SIP.domain.com you will have to have a SAN on the cert! I guess you could just name your Access Edge SIP.domain.com and only support a single SIP domain.

    My experience has been that you can share the cert on the Access Edge with the Web Conference Edge.  I've heard rumors back and forth that in order to do that the last entry in the SAN would have to be the listing for the Web Conf Edge.  So a cert that could be used for an Access Edge named IM.acme.com and a Web Conference Edge named wc.acme.com would look like:


    Friday, March 20, 2009 10:01 PM
  • If installing Access, Web Conf, and AV Edge roles on a consolidated Edge, I would do:

    SAN cert for Access, and AV edge role + machine name + sip.domain names,
    One single name cert for the web conf edge role.

    I do this so the web conf role common name matches its DNS name.

    Both third party trusted certs as well.
    Tuesday, March 24, 2009 4:05 PM
  • AV EDGE does not need a cert
    Only the internal AV Auth service but this can be an internal cert

    I would never put the machine name in a public facing cert

    Sip domains are required for the Access EDGE
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Thursday, March 26, 2009 5:34 PM
  • I've also recently found out that by the book, the Web Conferencing Edge FQDN cannot be in a SAN list.  It has to be in the Subject Name.  If you do leave it in the SAN list, the name of the Web Conferencing Edge as it appears on the OCS console will list whatever is in the Subject Name of that certificate.

    My understanding this is purely cosmetic and won't impact the functioning of the Web Conferencing Edge Server.  Cosmetic but irrritating!

    Wednesday, June 24, 2009 5:39 PM
  • Insofar as the access proxy is concerned, the SN of the certificate should be the primary DNS FQDN of the interface, for both external and internal edges. The external edge certificate SAN can contain additional FQDNs to support multiple domains; typically, the FQDN for a domain "contoso.com" would be simply "sip.contoso.com" but can be "xxx.contoso.com" where "xxx" is any valid name - "eng.contoso.com" would also be valid. The number of domains supportable is limited only by the maximum size of the SAN field.
    Thursday, July 16, 2009 11:04 PM