locked
Single certificate of OCS RRS feed

  • Question

  • having OCS 2007 R2 enterprize edition with Edger in consolidated topology.
    we are welling to by a certificate, I read some articles saying that you can but all the required names as a SAN in your certificate request, and use a single certificate instead of using diffierent certificate for each name.

    is there any issues with this setup, and which one is better?

    Thanks.
    Sunday, August 2, 2009 6:56 AM

Answers

  • Each Edge server requires an external and internal certificate except for the web conference edge.  MS recommends deploying a separate External certificate for Edge services especially for the AV Edge service.  In addition, the external Edge server requires that the certificate Subjetct Name to be the fqdn of the Edge server.

    http://technet.microsoft.com/en-us/library/dd425344(office.13).aspx


    HTH

    James
    • Marked as answer by andody Monday, August 3, 2009 6:27 AM
    Monday, August 3, 2009 5:10 AM

All replies

  • Each Edge server requires an external and internal certificate except for the web conference edge.  MS recommends deploying a separate External certificate for Edge services especially for the AV Edge service.  In addition, the external Edge server requires that the certificate Subjetct Name to be the fqdn of the Edge server.

    http://technet.microsoft.com/en-us/library/dd425344(office.13).aspx


    HTH

    James
    • Marked as answer by andody Monday, August 3, 2009 6:27 AM
    Monday, August 3, 2009 5:10 AM
  • Actually the above is incorrect.  In a standard consolidated Edge server all roles require a certificate (including Web Conferencing).  Also, the external role certificates do not use the Edge server's FQDN as the Subject name, only the Internal certificate uses the server name.

    The Internal Edge and A/V Conferencing Edge interfaces would typically use private certificates issued by an internal Enterprise CA (but can use public certs if desired).  The Access Edge and Web Conferencing interfaces require publicly-issued certificates for full-feature use.  The A/V Conferencing role does not use a certificate, but note that the A/V Authentication role does.  This is a common mistake during the first deployment as the two distinct roles are not obvious.  Additionally, private certs can be used throughout, but external sign-in will be limited to trusting workstations and PIC/Federation services will not work (Federation can be made to work with certificate-sharing, but PIC will never work). 

    Best practice is to use separate certificates on each role, and if only a single SIP domain is being used by OCS than no SAN field entries are required.  If supporting two or more SIP domains then SAN entries are needed in each cert.  A single SAN cert can be used for both the external AE and WC roles but is not recommended.

    Take a look at the latter portion of this article for more details: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, August 3, 2009 11:21 AM
    Moderator