locked
Certificate ____ RRS feed

  • Question

  • Guys -

    I am going through what I call certificate ____....I think I fairly understand this stuff but still cannot get it to work. HEre is my scenario

    1. My pool name is CompanyOCS.corp.local
    2. My server name (only one currently for testing) is OCSFE1.corp.local 

    - And the certificated I would need would have the Subject Name : CompanyOCS.corp.local
    - And have the following subject alternative names.
    - sip.company.com
    - CompanyOCS.corp.local
    - OCSFE1.corp.local
    - OCSFE2.corpl.local ( my other OCSFE1 server)


    Apparently godaddy doesnt sell certificates where the SubjectName is not a TLD.

    When I try to use my internal CA I get the famous "problem verifying this certificate error" and I do have the freakkin CA certificate in the Trusted Certificate Athourity.
    But nevermind this , I want to pay for this and get it done. Do you guys know of a vendor that can help me out with this ?

    thanks !
    Z
    Monday, June 15, 2009 9:13 PM

Answers

  • Versign and Digicert are common choices as they support UC certificates.  But for an internal Front-End server you don't need to use a public certificate, unless you haven't deployed an internal Windows Enterprise CA.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by ZPoint2010 Wednesday, June 24, 2009 3:34 PM
    Tuesday, June 16, 2009 7:28 PM
    Moderator

All replies

  • anybody ?????

    apparently my services are failing to start now when I use a certificate where the subject name is companyocs.company.com
    Monday, June 15, 2009 9:53 PM
  • We can help you.  My e-mail address is in my profile.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Tuesday, June 16, 2009 1:31 AM
    Moderator
  • What sip domain are you using ?

    Tuesday, June 16, 2009 8:51 AM
  • We can help you.  My e-mail address is in my profile.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Terrible....this is a forum or place for sales people to pimp out their consultants....and we have an MVP doing this. Great ....
    Tuesday, June 16, 2009 2:09 PM
  • sip domain is name@company.com , not name@company.local
    Tuesday, June 16, 2009 2:10 PM
  • Forums are great for non-critical support.  Many of us here are vendors and consultants that help customers through these deployments every day, and since you asked directly for a vendor to pay to assist with correcting your issues it certainly conveyed the impression that you wanted a more hands-on approach to solving your problem.  If you look at my profile info you'll see that I've been answering posts on this forum for quite a long time and have helped many people.  I'm happy to do the same for you but was responding to your message that indicated you were seeking more immediate assistance.

    All that aside, you need to be sure that the subject name of the certificate matches the FQDN of the pool as it is in AD.  It looks like you tried to do this with GoDaddy but they wouldn't issue it.  Some certificate vendors won't do this at all and others will do it if you put "FOR INTERNAL USE ONLY" in the OU.  You need to check with the vendor directly to find out their policies.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Tuesday, June 16, 2009 2:28 PM
    Moderator
  • Jeff -

    Thank you very much for your help...

    My POOL FQDN is : pool01.company.local 

    I can set up a DNS A record for pool01.company.com to point to the same IP as pool01.company.local......do I still need a Certificate with the subject name that you recommended ?

    I have someone else generating a certificate for me and they generated a certificate with the following info

    Certificate Subject Name: company.corp.local
    Certificate SAN: ocsserver01.company.local, ocsfe2.company.local

    I am trying to connect with username@company.com

    looks like I am doing somehting blatantly wrong ??
    Tuesday, June 16, 2009 2:50 PM
  • Jeff , are you saying I dont want pool01.company.local in my cert subject names at all ?
    Tuesday, June 16, 2009 2:52 PM
  • What if I dont want to remove the pool..

    Can I make it work without doing that ?

    Can I have pool01.company.local as one of the alt subject names ?

    Will my services start if I use a cert with the company.com subject name , I doubt it.....


    Tuesday, June 16, 2009 3:27 PM
  • Automatic Configuratin of clients will only work if the user's sign-in domain matches the DNS SRV record which must match the domain name of the A record, which in-turn must match the domain name listed on a certificate.

    If you use Manual Configuration you might be able to get it working, but not with the cert you listed.  Try this:

         Certificate Subject Name: pool01.company.local
         Certificate SAN: sip.company.com, ocsserver01.company.local, ocsfe2.company.local

    And then configure OC to point to the internal server as:

    Internal Servername or IP Address: pool01.company.local

    I've never tried to configure OCS like this so it may still fail, but it might work.  Easier to test than replacing the entire pool.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, June 16, 2009 3:57 PM
    Moderator
  • too late...tried replacing the pool...

    I get this error if I try creating a pool with the name pool01.company.com , since my AD domain is company.local.

    ____ annoying !


    Failure
    [0x8007054B] The specified domain either does not exist or could not be contacted.



    I havent tried the cert you mentioned above with sip.company.com as a SAN name....is that crucial to make it work, since my sip names are the email addresses ?


    Tuesday, June 16, 2009 4:09 PM
  • OK , back to using poo01.company.local as my pool name , I dont think I have a choice regarding this.

    When I use the certificate I get the following error..

    Communicator could not connect securely to server shiocs.corp.local because the certificate presented by the server was not trusted due to validation error 0x80ee0065.  The issuing certificate authority (CA) for the server's certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
     
     Resolution:
     A tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit can be used in order to interpret the error code listed above.  If you trust the server certificate, the issuing certificate authority (CA) certificate can be placed in the local trusted root certificate authorities certificate store.  If you have logged into the server before without issues the network administrator should carefully examine the certificate if no known configuration changes have been made.

    Tuesday, June 16, 2009 4:58 PM
  • (Ok, I completely apologize for this.  I was reading through my posts and I explained it entirely backwards!  Anything related to the DNS records is all correct, but I completely screwed up my explanation of the pool name.  It needs to be in the SAME domain as the server's namespace.

    I'm going to go back and edit the original posts as to not stray anyone else int he wrong direction.  You are correct in that attempts to configure the poolname in a different namespace will result in that error.)

    Ok, so the latest issue sounds like you don't have the root CA or CA chain trusted on the client.  Where are the certificates you are using being issued from?  An internal Enterprise CA or a public CA of some sort?  Are you connecting from workstations connected to the same domain as OCS is running in?


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, June 16, 2009 5:06 PM
    Moderator
  • Whoa, I completely missed this post.  Mike's response was dead-on as you specifically asked "Do you guys know of a vendor that can help me out with this ?" which he is one of those.  Your response was a bit harsh, IMO.

    Maybe I should re-think spending my own time on assisting you in this specific thread.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, June 16, 2009 5:19 PM
    Moderator
  • Sorry but I was talking about the certificate all along and then wanted to know if you guys knew of a certificate vendor. A little off track and I get pimps trying to sell me stuff.

    This is BS


    Tuesday, June 16, 2009 6:34 PM
  • Versign and Digicert are common choices as they support UC certificates.  But for an internal Front-End server you don't need to use a public certificate, unless you haven't deployed an internal Windows Enterprise CA.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by ZPoint2010 Wednesday, June 24, 2009 3:34 PM
    Tuesday, June 16, 2009 7:28 PM
    Moderator
  • I currently have a enterprise office comm 2007 r2 server installed and the services all started after i bought and installed a ssl cert (non-UCC) from godaddy. (We don't have a internal CA).

    So even though the office comm setup wizard requires that you put the "sip.domain.com" address in the SAN field below. (for example-ours is all the same FQDN, e.g., "pool.doimain.com" and "sip.domain.com"

    The cert is registered as "pool.domain.com" with godaddy with nowhere to insert the "sip.domain.com" since its a normal cert.


    So the question is, Why am I getting "there was a problem verifying the certificate from the server"? When I try to sign in through communicator?

    I've seen posts where others get this working with a single ssl cert in a smiliar setup. Whats the magic?

    I plan on using a UCC for my edge, etc. But i thought i could use a single for Front End internal.

    Josh
    Wednesday, July 1, 2009 4:29 PM
  • Are you using Automatic Configuration with an internal SRV record to direct OC clients to the FE servers?  If so, what A record does that point to?

    Do you have multipe SIP domains?

    IS your AD domain anmespace different from your SIP domain? For example is the FE server FQDN ocsserver.company.local while user's SIP addresses are username@company.com)?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, July 1, 2009 5:07 PM
    Moderator

  • The DNS record reads (under the _tcp subfolder of the domain):

    _spinternaltls Service Location (SRV) [0][0][5061] sip.domain.com

    my internal AD namespace and the external are the same. (both are "domain.com")

    Just one SIP domain, e.g., "sip.domain.com"

    Thanks for your reply.

    Wednesday, July 1, 2009 7:10 PM