locked
How many certificates I need to buy? RRS feed

  • Question

  •  

    Hi all,

     

      I have two computers prepare to install Office communicatin server.

     

      One computer install Edge servers which included Access Edge, Web Edge, and AV Edge.

     

     

     The other computer istanll OCS Standard servers which include OCS A/V Conferencing server, Front-End server, IM Conferencing, Telephony Conferencing, and Web Conferencing.

     

     

    FQDN name list:

    internal Access edge:  ocsedge.<domain name>.com

    external Access edge:  accessedge.<domain name>.com

    A/V edge: avedge.<domain name>.com

    Web edge: webedge.<domain name>.com

     

    OCS standard server: ocsmain.<domain name>.com

     

     

    so far I use my own Certificate Server to create 5 certificates for each of the above FQDNs, and it works.

     

    now I want to buy certificates from third pary certificate authority, but I am not sure how many certificates I need to buy,

     

    Regards,

    Bo

     

    Tuesday, December 18, 2007 5:15 PM

Answers

  • You only need one certificate with a few subject alternate names.  Make sure that the external access edge FQDN is the subject name of the certificate and the other addresses are subject alternate names.

     

    Wednesday, December 19, 2007 12:24 AM
    Moderator
  • You only need to deploy a Third Party certificate on the external Edge services, and can use an internal CA to issue certs for Front-End servers and the interface interface of the Edge Server.

     

    So the maximun you would purchase would be 3, but that can even be reduceded based on your Edge configuration and deployment.

    Wednesday, December 19, 2007 7:49 PM
    Moderator

All replies

  • I have my own internal CA server, The reason I want to buy some certifiates from third party CA is I don't want external user install my internal CA root certificate as "Trusted Root Certification Root Authorities". and There are totally 5 certificates used in OCS server, I am not sure should I need to buy 5 or just only the certificate for Access Edge Server Public Interface?

     

     

    Tuesday, December 18, 2007 11:26 PM
  • You only need one certificate with a few subject alternate names.  Make sure that the external access edge FQDN is the subject name of the certificate and the other addresses are subject alternate names.

     

    Wednesday, December 19, 2007 12:24 AM
    Moderator
  • Hi Mike,

     Thanks for your reply.

     

    Did you mean only need one certificate for Edge Servers(Access Edge, Web Edge, A/V Edge, Private Internal Edge)?

     

    How about the certificate for OCS Server roles(Front-End, Web Conferencing, A/V Conferencing)? 

    Wednesday, December 19, 2007 5:41 PM
  • You only need to deploy a Third Party certificate on the external Edge services, and can use an internal CA to issue certs for Front-End servers and the interface interface of the Edge Server.

     

    So the maximun you would purchase would be 3, but that can even be reduceded based on your Edge configuration and deployment.

    Wednesday, December 19, 2007 7:49 PM
    Moderator
  •  

    Thanks  for Jeff reply.

     

     Is it possibile to use my internal CA server issue all certifiates for OCS, and the external clients can automatically download root certificate from internal CA server and automatically or pompt a dialog to install it.

     

    If this is imposibile for internal CA server, can I let my internal CA is a child node of Third Party CA so that any certificates issued by internal CA also is trusted clients automatically.  For example VeriSign CA is one of  default "Trusted Root Certification Authorities" store in Windows XP system.

    Thursday, December 20, 2007 9:35 PM
  •  

    If you do not plan to IM with Public provider (AOL, Yahoo, and MSN) or federation with other company then there is no need to use the Public CA on your External interface of the Edge server.

    As long as your external client has your trusted Root CA chain, the client should be able to do TLS.

     

    Friday, January 18, 2008 1:34 AM
  • Paolop > Is your reply the same if you plan on hosting Live Meeting?

     

    Wednesday, February 20, 2008 10:58 PM
  • Its was a quite informative discussion .But just bit confused

     

    If I'm having seperate certificate for each role on the Edge Server ,do I have to really bother about Subject Alternative Names.

     

    A quick Reply is highly appreciated

     

    Regards

    Afeef

     

    Tuesday, July 8, 2008 7:42 AM
  •  ToddHart wrote:
    Paolop > Is your reply the same if you plan on hosting Live Meeting?

     

     

    If you plan on hosting Live meeting for AD users who are out of office but have their laptop on your domain, yes, you only need internal certificates.

    If you plan on hosting live meeting with partners/clients who aint on your domain BUT you can give them your CA root so they can install it as a "Trusted Root CA" on their desktops/laptops, yes you only need internal generated certificates

    .

    Of course its not a "clean" solution cause you always have to send your root CA to the people who ain't part of your domain.

    You only need 1 public certificate (with alot of SAN's) for the edge roles so it wont be that expensive (there's cheap ones on the market that dont have SAN limits).

    Btw, wildcard certificates are a no go in OCS, don't forget that.

     

     

    Wednesday, July 9, 2008 1:28 PM
  •  Mike Stacy wrote:

    You only need one certificate with a few subject alternate names.  Make sure that the external access edge FQDN is the subject name of the certificate and the other addresses are subject alternate names.

     

    My experience is that you can not use the same certificate (with SAN) for access edge and web conferencing edge public interfaces. The reason is: the Web Conferencing edge "ignores" the SAN's on the cert and FQDN you enter in the configuration but instead automatically changes its FQDN DNS name to the CN name of the certificate that you select... Since the 2 edge servers have different IP addresses... you can't have them share the same DNS name :-( 

    Tuesday, July 22, 2008 3:33 PM
  • The edge server interface does in fact change the display text in that field to match the subject of the certificate, which makes it seem like the web conferencing edge must use that name.  However, that is not the case - you can indeed use a SAN for web conferencing connectivity.

    Wednesday, July 23, 2008 6:16 PM
    Moderator
  •  

    Is there any official documentation that states this?  I'm experiencing this as well and it's not giving me the warm fuzzy. Smile
    Tuesday, October 28, 2008 2:41 AM