locked
how do I remove and replace the existing certificate in OCS 2007 RRS feed

  • Question

  • I'm trying to use a new certificate in OCS 2007, but there seems to be no way of removing the existing one.

    When I try and import the new one over the top of the old one it doesn't update.

    Any ideas?

    Sean
    Wednesday, December 5, 2007 9:07 AM

All replies

  • Sean,

     

    Using the OCS console, right-click on the server object (found under either the Standard Edition or Enterprise pools) and select properties for any of the roles.  The Certificates tab will allow you to control what locally stored certificate is currently assigned to the server.

     

    If this is an Edge Server, then access the properties on the OCS object in the Computer Management console, and go to the Edge Interfaces tab.  Click Configure on on each interface to see the Select Certificate button.

     

    Wednesday, December 5, 2007 11:30 AM
    Moderator
  • OK, I've right clicked on the node as show below and selected properties->front end option, but no certificate tab.

     

    http://www.seanliquorish.co.uk/temp/ss.jpg

     

    any ideas

    Wednesday, December 5, 2007 2:56 PM
  • That is the properties window for the server/pool object.  Check the properties on the server object itself which is shown with FQDN (nbaproj.nbaconsultants.local).

     

    Yes, it's a bit confusing the way things are scattered about in the console Wink

     

     

    Wednesday, December 5, 2007 4:01 PM
    Moderator
  •  

    Hi there, I have managed to get the certificate registered for the OCS services, thanks for that.

     

    However I have found another issue now.

     

    In the lowest level server object, right clicked -> certificates, exported the certificate to a text file, copied that to my own machine, registered it in trusted root certificate providers as a certificate.

     

    However I still cannot connect to the OCS box, due to the certificate being invalid for that server.  I have checked, all traffic to and from the server is flowing fine.

     

    Any ideas?

     

    Sean

    Wednesday, December 12, 2007 4:51 PM
  • Sean,

     

    You don't want to put the actual server certificate in your local Trusted Root Certificate Authority, that won't work.  The root certificate for a Certificate Authority needs to go into that store, not an issued certificate.

     

    When you view the properties on that certificte does it show the root as trusted or not (red 'X' over cert icon)?

     

    What CA issued that server certificate, an internal Windows Enterprise CA, or a third-party (like Verisign)? Is the workstation you are connecting from a member of the same forest/domain as that internal CA?  If you're using a thrid-party CA verify their root-level cert exists in that local store.

     

     

    Wednesday, December 12, 2007 5:53 PM
    Moderator
  • Thanks I'll try the root certificate.

     

    Its an Internal CA, user machine on same domain.

     

    Sean

    Thursday, December 13, 2007 6:59 AM
  • Tried this, is this correct.

     

    On Server

    Gone into mmc.exe -> certification authority (local) -> nba node

    Right clicked All Taks -> Backup CA -> Backed up to p12 file

     

    On My Machine

    Copied the p12 file to my machine.

    Opened Certificate (Local Computer)

    Right Click Trusted Root Certificate Authories

    Select Import, and import it into the above folder.

     

    Still no luck.

     

    Sean

    Thursday, December 13, 2007 7:17 AM
  • If the workstation is a member of the same domain as your internal CA, then the root certificate should already be trusted and the steps above are unneccesary.

     

    On the workstation go to:

    - Local Computer store via the Certificates mmc snap-in

     - Trusted Root Certification Authority

      - Certificates

     

    In the list you should see a cert issued to your internal domain name with the Intended Purpose shown as <All>.

     

    I'd enable logging to the event log in Communicator and take a look at the exact errors you are getting when trying to sign in.

    Thursday, December 13, 2007 2:09 PM
    Moderator
  • If you actually look at the certificate on there server, does it say that it is valid?

     

    Go back to the MMC on the server, in certificates for that machine, open the offending cert, does it saying anything about it being invalid, on the general tab there will be lot of red and it will say not trusted or some thing.

     

    What url are you trying to access and what is the subject and SANs on there cert? Could it be that you are trying to access a url that is not on the cert?

     

    Blackduke

     

    Thursday, December 13, 2007 11:23 PM
  • On the Edge Server the certificate wizard fails generating a new certificate with an existing certificate assigned.  Also there appears to be no option to delete or deassign an existing certificate.  I can only Select a certificate as the button indicates.  How do I deassign or delete each certificate gracefully? 

    Saturday, October 25, 2008 12:00 AM
  • If you go to the Properties of the "Microsoft Office Communications Server 2007" management console on the Edge Server, pull up the Edge Interfaces tab.  Hit 'Configure' on the desired interface and then hit the 'Select Certificate' button.  You can re-assign the certificates from here.

     

    Only certificates stored in the local Computer store will appear in the list.  If you need to manage the existing certificates themselves, then you should use the 'Certificates' MMC snap-in on the Edge server; just make sure you access the 'Local Computer' store when adding the snap-in.

    Saturday, October 25, 2008 12:53 AM
    Moderator
  • Thanks, I was able to generate certificate requests, issue certificates, and import them.  It is important to use the wizard to both generate and import.   I was then able to reassign server roles to the new certificates.

     

    I have a problem generating a certificate on the OCS 2007 front end server.  The wizard gives me the error message "the export certificate request operation encountered an error" after the last step so the request is never generated.  This occurs whether the certificate is "deleted" from properties or not.

     

    Saturday, October 25, 2008 1:35 AM
  • I found a bunch files that were being created by the wizard in

    %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. 

     

    I deleted all of the files created today and then deleted the certificate from the Front End role properties in the OCS console.  After that the wizard worked great.

     

    Saturday, October 25, 2008 2:32 AM