Answered by:
CWA 2007 R2 Certificate Question

Question
-
Hello,
do i need the FQDN and the NETBIOS Name of my CWA 2007 R2 Server as a subject alternative name in the certificate?
As far as i understood i need the following:
Common Name:
im.mydomain.com
SAN Names:
download.im.mydomain.com
as.im.mydomain.com
cwaserver.mydomain.com (FQDN CWA Server)
cwaserver (Netbios-Name CWA Server)
Is this right?Monday, August 17, 2009 7:50 PM
Answers
-
If you are using a single certificate for both SSL and MTLS duties on the CWA server than you'll need to include the server FQDN in the Subject Name and then add all the of the values to the SAN field. Having the im. as the Common Name will cause the Activation wizard to fail with a name-mismatch error.
You don't need the NetBIOS name in the certificate, just FQDNs.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS- Marked as answer by UTTO Tuesday, August 18, 2009 8:20 PM
Tuesday, August 18, 2009 2:05 AMModerator
All replies
-
If you are using a single certificate for both SSL and MTLS duties on the CWA server than you'll need to include the server FQDN in the Subject Name and then add all the of the values to the SAN field. Having the im. as the Common Name will cause the Activation wizard to fail with a name-mismatch error.
You don't need the NetBIOS name in the certificate, just FQDNs.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS- Marked as answer by UTTO Tuesday, August 18, 2009 8:20 PM
Tuesday, August 18, 2009 2:05 AMModerator -
Thanks Jeff,
is there any official information from microsoft on this? They recommend im.domain.com as Subject Name in Technet Documentation.
I chose the FQDN of my CWA Server for the subject name following your instructions.
Certificate looks like:
CN:
cwaserver.mydomain.com
SANs:
cwaserver.mydomain.com
im.mydomain.com
as.im.mydomain.com
download.im.mydomain.com
It worked fine. I got CWA working internally. My next goal is to get it to work for external access.Tuesday, August 18, 2009 8:23 PM -
Just wanted to share that i found this cool OCS Certificate Generator which i chose for creating the LCSCMD Commandline for CWA Certificate
https://www.digicert.com/easy-csr/ocs2007.htmTuesday, August 18, 2009 8:43 PM -
I have not seen anything official but I'm working on gettin g a doc review initiated for that section, as it's really not correct. Hopefully it'll be updated to reflect the correct configuration for a single cert on CWA versus separate SSL and MTLS certs.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSTuesday, August 18, 2009 10:47 PMModerator -
FYI, here's a blog article I just posted on the topic: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=75
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSWednesday, August 19, 2009 12:36 PMModerator -
Thank you, this will help others in the future.Wednesday, August 19, 2009 8:21 PM