locked
CWA 2007 R2 Certificate Question RRS feed

  • Question

  • Hello,

    do i need the FQDN and the NETBIOS Name of my CWA 2007 R2 Server as a subject alternative name in the certificate?

    As far as i understood i need the following:

    Common Name:
    im.mydomain.com

    SAN Names:
    download.im.mydomain.com
    as.im.mydomain.com
    cwaserver.mydomain.com (FQDN CWA Server)
    cwaserver (Netbios-Name CWA Server)

    Is this right?


    Monday, August 17, 2009 7:50 PM

Answers

  • If you are using a single certificate for both SSL and MTLS duties on the CWA server than you'll need to include the server FQDN in the Subject Name and then add all the of the values to the SAN field.  Having the im. as the Common Name will cause the Activation wizard to fail with a name-mismatch error.

    You don't need the NetBIOS name in the certificate, just FQDNs.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by UTTO Tuesday, August 18, 2009 8:20 PM
    Tuesday, August 18, 2009 2:05 AM
    Moderator

All replies

  • If you are using a single certificate for both SSL and MTLS duties on the CWA server than you'll need to include the server FQDN in the Subject Name and then add all the of the values to the SAN field.  Having the im. as the Common Name will cause the Activation wizard to fail with a name-mismatch error.

    You don't need the NetBIOS name in the certificate, just FQDNs.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by UTTO Tuesday, August 18, 2009 8:20 PM
    Tuesday, August 18, 2009 2:05 AM
    Moderator
  • Thanks Jeff,

    is there any official information from microsoft on this? They recommend im.domain.com as Subject Name in Technet Documentation.

    I chose the FQDN of my CWA Server for the subject name following your instructions.


    Certificate looks like:

    CN:
    cwaserver.mydomain.com

    SANs:
    cwaserver.mydomain.com
    im.mydomain.com
    as.im.mydomain.com
    download.im.mydomain.com


    It worked fine. I got CWA working internally. My next goal is to get it to work for external access.
    Tuesday, August 18, 2009 8:23 PM
  • Just wanted to share that i found this cool OCS Certificate Generator which i chose for creating the LCSCMD Commandline for CWA Certificate

    https://www.digicert.com/easy-csr/ocs2007.htm

    Tuesday, August 18, 2009 8:43 PM
  • I have not seen anything official but I'm working on gettin g a doc review initiated for that section, as it's really not correct.  Hopefully it'll be updated to reflect the correct configuration for a single cert on CWA versus separate SSL and MTLS certs.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, August 18, 2009 10:47 PM
    Moderator
  • FYI, here's a blog article I just posted on the topic: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=75


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, August 19, 2009 12:36 PM
    Moderator
  • Thank you, this will help others in the future.
    Wednesday, August 19, 2009 8:21 PM