Certificate Wizard in OCS 2007 Deploy Server Wizard... RRS feed

All replies

  • Actually, this is the original message...sorry

    Hi all!

    I'm going crazy trying to resolve and installation problem. I have everything installed and running except for the Certificate installation part. I'm in the Deployement Wizard of OCS 2007 and am also in the "Configure Certificate" part. I iniate the Wizard, go thru everything and get "Certificate Wizard was unable to contact the Certification Authority, retry this operation later". Now, I'm not a CA wizard, and just have a basic knowledge of CAs and how they work, but I have an Enterprise CA setup on a domain controller, and it seems to be working just fine. I point to that server during the wizard setup, but get this message. Nothing in the event log either. Any help would be GREATLY appreciated!!!!!!

    Thanks in advance!!!
    -Scott D
    Friday, October 5, 2007 6:20 PM
  • Is the wizard detecting the Enterprise CA or are you typing the name of the server in?


    If you're typing the server name in you'll need to type servername\cainstancename


    servername being the name of the server and cainstancename being the name of the CA instance

    Monday, October 8, 2007 2:41 AM
  • It's automatically detecting the Enterprise CA and filling in the name. And, it's the correct name. Any ideas?
    Monday, October 8, 2007 5:09 PM
  • What happens when you browse to http://servername/certsrv/ from the PC you are trying to install OCS on?

    Tuesday, October 9, 2007 12:23 AM
  • I get page not found...I wouldn't think that I could browse a page to it...Now, I'm assuming you mean http://servername.domain/cainstance ? If that's the case, I get nothing. Should I? Not sure why I would....

    Tuesday, October 9, 2007 3:28 AM
  • We can tweak things in this case:


    Go to your Root CA.


    Request a Server authentication certificate in the name on OCS Server name. (FQDN).


    Save the cert in .pfx format and export it to OCS Server.


    Import the certificate manually in OCS personal certificate store.


    Configure the certificate from OCS mmc.


    This should work if we are lucky enough.




    Tuesday, October 9, 2007 9:48 AM
  • I will try this and see what happens, and appreciate it. I'll also let you know what happens.

    I'm just curious as to why it's doing this during installation...Any ideas?

    Tuesday, October 9, 2007 1:09 PM
  • This can happen if you have issues with RPC. Check Firewalls and Antivirus softwares.


    Best bet is to disable all the 3rd party apps during this process and try to get a cert sitting on OCS wizard/





    Tuesday, October 9, 2007 1:49 PM
  • I'm not sure on how to do the above process...How would you "Request a Server authentication certificate" in the name of the LCS 2007 name...I have found how to import it during the install process, just not how to request it from the CA and export it.

    Thanks again!!
    Tuesday, October 9, 2007 2:57 PM
  • There is nothing running on the LCS as of now...Trying to get this running first. The CA seems to be working for anything else that requests a certificate. DO you know what template it's actually trying to get?
    Tuesday, October 9, 2007 2:59 PM
  • Also, a dumb question...This CA is an Enterprise root CA. Can it issue out certificates to clients and computers, or do I need to implement as subordiante CA in order to issue certificates? What do most people usually do?

    Just a thought....
    Tuesday, October 9, 2007 4:34 PM
  • Enterprise Root CAs can issue all types of certificates.

    You must make sure that the Certificate Templates are available and have the correct permissions to enroll


    Many organizations use an offline root CA and use an Enterprise Subordinate for security purposes.

    But if you are a small-mid sized company this might be overkill




    Tuesday, October 9, 2007 7:13 PM
  • I can now connect thru a web browser to the certsrv and get a client certificate. I still get an error when trying to get a certificate thru the install procedure (certificate wizard). However, when I do try and connect to the certsrv thru a web page, it prompts me for credentials...Is this normal, and what is my next move?

    Thanks a million!
    Wednesday, October 10, 2007 3:09 AM
  • You don't need a Client Certificate...

    You need a Server Certificate


    Certsrv is configured to ask credentials because it connects to AD




    Wednesday, October 10, 2007 9:07 AM



    I was away so not able to reply in time,


    I would be sure that your OCS front-end server is a member of the Domain. If so than requesting the certificate from the web browser should not prompt you for credentials.

    To check if you are able to authenticate to the domain from OCS FE, try to open \\<Domain Controller> with netbios and FQDN. If it is successful than u should be able to authenticate to Certificate web site.


    I will try to give you the procedure for requesting the certificate;


    1. go to certificate webpage http://<CertifiacteServer>/Certsrv

    2. Request a certificate.

    3. Advance certificate.

    4. Create & submit the certificate request.

    5. In Drop down select Web Server.

    6. In Name: <Give your OCS Server FQDN>

    7. Select "Store the certificate in local computer store"

    8. In Friendly name: <Give any name from which you can recognise teh purpose of this cert.>

    9. Click generate.

    10. Install the certificate.

    11. Check if the cert is in personal store in certificate mmc.

    12. Open the certifiacte and check if it is valid and you have root CA.


    For all this basically first para should be clearly thru..,.




    Wednesday, October 10, 2007 11:55 AM
  • Yes, I understand that, I was just testing the CA to see if it could even hand out any certificates...
    What is the process that someone spoke about above? Getting a server certificate on my LCS 2007 server?

    Wednesday, October 10, 2007 7:20 PM
  • Did you try to restart your Certificate Services Service?




    Wednesday, October 10, 2007 10:43 PM
  • Yes, my OCS server is a member server. I can authenticate when I open the web page, but I wasn't sure if it should even prompt me when I do open it, or it should pick up who I am and just open the page...

    I'll try the above process and see what happens! Thanks again for all the help!!
    Thursday, October 11, 2007 3:42 AM