MTLS and SAN RRS feed

  • Question


    I have got a cert from Entrust to the OCS.mycompany.com  front end server with Subject name ocs.mycompany.com and other SAN names like im.mycompany.com, web.mycompany.com ...etc


    The certificate was installed on the Front end and users were  able to connect.


    Then I installed Communicator web access server named as WEB.mycompany.com and  Imported the certificate above but while I was trying to complete the Communicator web access setup I was asked to select a cert for MTLS but when I selected the imported one, with the subject name ocs.mycompany.com and web.mycompany.com as one of the SNA names the system refused to use it and  gave me a message that the cert subbject name is different from the FQDN and this does not work for MTLS .


    Any workaround this...?


    I have also read that the two certificates installed on the 2 servers have to be from the same CA..?  is this correct...?


    Kindly advise...


    Mahmoud Amin

    Tuesday, April 29, 2008 12:55 PM

All replies

  • The certificate CWA uses for MTLS to the Front-End must have a subject name that matches the actual name of the server. Your SAN cert could be used when you create the virtual server for the address users will actually be connecting to.

    Usually you would use an internal PKI to issue certificates for the internal services and MTLS and then use a public cert on your Edge or ISA servers. In this case, to adhere to the requirements of using the same CA for MTLS you'll need another certificate with the subject name of your CWA server. A plain ol' standard SSL certificate should work, but you'll also need to get it from Entrust.
    Tuesday, April 29, 2008 7:59 PM