Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Certificate for OCS 2007 Web Access Server RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    I can not get a certificate in place that will allow me to install the Web access server.
    Dave
    Tuesday, July 7, 2009 4:22 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you explain more.
    mitch
    Thursday, July 9, 2009 1:36 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Every way i try yo generate the certificate i get an error msg saying I need an MTLS Cert.  I have tried using the frontend wizard with my external name as the Subjects name and my external name plus the server name as  the san.  I have also tried to generate using the LCSCMD with the same results.
    Dave
    Thursday, July 9, 2009 12:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi Dave,

    so, you can actually issue the certificate from your CA but you can not install it on your CWA server, or can you not even issue the certificate?
    Thursday, July 9, 2009 2:10 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I can generate and import the cert to the CWA server but when i select the cert in during the install i get an error that says.

    The certificate you selected is the incorrect. Please select a Valid Mutual TLS certificate
    Dave
    Thursday, July 9, 2009 2:13 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    What is the OS of the server you are trying to install CWA on? 2003 or 2008?
    Also please try posting the procedure you are following to issue the certificate and also give us the os info for your internal CA
    Friday, July 10, 2009 9:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi

    What do you mean with my external name as SN ?

    Using the frontend certificate wizard the SN should be the FQDN of your CWA server. No SAN should be needed. Mark the certificate as exportable before you generate it. 


    /T
    Friday, July 10, 2009 10:21 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    i have tried using only the FQDN as the SN and mark the cert as exportable using the front end cert wizard. this is being installed on a 2003 64bit enterprise server. That is the same as The edge, frontend, mediation, Unified messenger, QOE, and SQL server for the OCS enviromenrt
    Dave
    Friday, July 10, 2009 1:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Can you go into certificates for the computer to see if it is in the personal store? Also validate that the cert has the Client and server EKU's you can see this in the properties. Also when you open the certificate to look at the properties be sure it has says on the general tab that there is a private key.

    mitch
    Friday, July 10, 2009 2:46 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    i just generated a new cert using the frontend wizard with the web servers FQDN as the SN with no san and selected EKU and Exportable still getting the MTLS error

    Dave
    Friday, July 10, 2009 4:59 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Dave can you open an MMC and then add certificates to it. When it asks for local account or My computer select my computer. Then look in the personal store to see if the cert is there. open the cert, please check the Chain, and the Subject name, and also review to be sure it has a private key. I am trying to see if the CA is a trusted CA. and trying to verify the cert issued correctly.
    mitch
    Friday, July 10, 2009 5:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    it is a trusted CA and issued correctly i have used the same CA server to replace all my certs for ocs over the last 2 weeks.
    Dave
    Friday, July 10, 2009 5:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    so is this a new CWA install?
    mitch
    Friday, July 10, 2009 5:27 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    yes this is a fresh CWA install
    Dave
    Friday, July 10, 2009 5:28 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    So is the Server name the same as the CWA website name? if not I seem to remember there is a WMI setting that has to be set so that the name presented for MTLS is the same as the website. I think it was WMI. I will look for it. and let you know shortly.
    mitch
    Friday, July 10, 2009 5:39 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    So are you trying to use the same certificate for the MTLS and for CWA?
    mitch
    Friday, July 10, 2009 5:45 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    i am trying to use any cert that will allow me to do the install before I purchase my Public Cert everytime i do the install it says i need a Mutal TLS Cert
    Dave
    Friday, July 10, 2009 5:47 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    No the server name is not the same as the cwa website
    Dave
    Friday, July 10, 2009 5:47 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    in the OCS 2007 R2 Deploying CWA guide. on page 16 there might be some helpfull stuff there. it explains how the CWA cert and SANS need to be created.
    mitch
    Friday, July 10, 2009 5:59 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    used the settings from that document and still get the same error
    Dave
    Friday, July 10, 2009 6:11 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Well ususally this is caused but the DNS name in the Subject Name field of the Cert not being correct. it should match the FQDN of the server it is on.
    mitch
    Friday, July 10, 2009 6:46 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    acording to the document the SN name should be the website name, then the server FQDN in the SAN  
    Dave
    Friday, July 10, 2009 6:48 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Try switching them and see if that fixes it.
    mitch
    Friday, July 10, 2009 6:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    do i want to select include client EKU in the Certificate request
    Dave
    Friday, July 10, 2009 7:02 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    yes I would
    mitch
    Friday, July 10, 2009 7:05 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Same error i have to give up on this till monday
    Dave
    Friday, July 10, 2009 7:14 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    is there a better way to request the cert then using the wizard for the frontend server
    Dave
    Friday, July 10, 2009 7:15 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Command line but that can be more work as well.
    mitch
    Friday, July 10, 2009 7:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    the lcscmd way???

    What is the best syntax for what i am trying to do?
    Dave
    Friday, July 10, 2009 7:17 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    D:

    cd Setup/amd64

    runas /netonly /user:USERNAME "LcsCmd.exe /Cert /Action:Request /sn:SERVERFQDN

    /san:im.domain.com,download.im.domain.com,as.im.domain.com/ca:CAROOTserver\CertSvc /OU:OUforCERT /org:OrgName /country:US /city:whatevercity/state:whateverstate /friendlyName:CWA_Certificate /exportable:TRUE"

    pause

    mitch
    Friday, July 10, 2009 7:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    If you havent done so already, take a look at these in the OCS2007R2 library...
    http://technet.microsoft.com/en-us/library/dd441378(office.13).aspx
    http://technet.microsoft.com/en-us/library/dd441293(office.13).aspx

    pretty much all the detail you need to run the command line certificate request... And always check for the RootCA trust, although if your server is joined to the domain, the RootCA should already be trusted...

    George
    Friday, July 10, 2009 9:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I have gotten past the Certificate issue and now i am running into an issue with Activate Communicator Web Access WMI Instance     Failue [0x8004100E]
    Dave
    Wednesday, July 15, 2009 2:26 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Communicator Web Access Special Activation Steps

     

     

     

    Failure
    [0x8004100E]

     

    Create Communicator Web Access Template Application Pool

     

     

     

    Success

     

    Activate Communicator Web Access WMI Instance

     

     

     

    Failure
    [0x8004100E]

     

    Cleanup For Communicator Web Access Special Activation

     

     

     

    Success

     

    Delete Communicator Web Access Template Application Pool

     

     

     

    Success

     

    Deactivate Communicator Web Access WMI Instance

     

     

     

    Failure
    [0x8004100E]

     

    Revoke Permission On Certificate

     

     

     

    Failure
    [0x8004100E]

     

    Revoke Permission On Registry

     

    Revoke Permission On Registry: SoftWare\Microsoft\Windows NT\CurrentVersion\Perflib

     

    Success

     

    Revoke Permission On Registry

     

    Revoke Permission On Registry: SYSTEM\CurrentControlSet\Services\CWAPerf\Performance\Parameters

     

    Success

     

    Revoke Permission On Registry

     

    Revoke Permission On Registry: Software\Microsoft\Communicator Web Access\

     

    Success
    Dave
    Wednesday, July 15, 2009 2:34 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Can I ask how you got past the certificate error please?? I have exactly the same problem and have been going round in circles all day!!

    john
    Wednesday, July 29, 2009 4:41 PM