[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I generate a new certificate for Live Communications Server 2005?

Posted on 2009-04-27
10
Medium Priority
?
1,854 Views
Last Modified: 2013-11-29
Upon rebooting one of my servers that is running Live Communications Server I realized that the certificate that LCS was using had expired on 4/1/2009.  I did not have any problems until yesterday but I am guessing that the expiration was not set off until the reboot.  I did not originally setup LCS and I can't figure out how a new certificate can be obtained.

When I look at the certificate information it was issued to server_name.domain.local and it was issued by LCS.  

Thank you for your assistance.
0
Comment
Question by:mperesie
  • 6
  • 4
10 Comments
 
LVL 4

Expert Comment

by:BillCarlin
ID: 24307530
To replace the certificate successfully a new one should be issued to the same FQDN (fully qualified name) as the server or the pool name

To review a full breakdown, please see this article:
http://communicationsserverteam.com/archive/2008/01/17/71.aspx

There is also the Cert Utility located in the Resource kit that can assist you.
http://blogs.technet.com/toml/archive/2007/01/22/creating-certificates-for-lcs.aspx
-Cheers
0
 

Author Comment

by:mperesie
ID: 24313975
BillCarlin,

Thanks for your assistance.  I am trying to generate the certificate locally using certsrv and I can't seem to generate a valid certificate.  When I run the LCSCertUtil I selected Request Certificate and I enter my FQDN as the subject name.  I fill out the optional fields and leave template set as WebServer and then click Next to generate the lcscert.req file.

Then I go to //localhost/certsrv and select Request a certificate and then Advanced certificate request.  On the Advanced page I select the submit using a file option and insert the file, change template to Web Server and then click Submit.  On the next page I leave DER encoded selected and click Download certificate.  I then install the certificate.  When I go to the Live Communications Server management utility and go to the properties of the server it stills shows that I don't have a valid certificate.  I can see a certificate with the FQDN and a valid expiration though.

Not sure what steps I am doing wrong.
0
 

Author Comment

by:mperesie
ID: 24314491
I also tried to follow the instructions in the Microsoft Office Live Communications Server 2005 Certificate Configuration document.  When I get to the steps involving requesting the certificate I go to the web based certsrv.  I select Request a certificate / Advanced Certificate Request / Create and submit a request to this CA.  On the request page the instructions mention "In the Type of Certificate Needed list, click Server Authentication" but on the page I have that is not an option.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
LVL 4

Expert Comment

by:BillCarlin
ID: 24316719
Okay, let me ask a side question as I was just having a Symantec discussion with a friend.  Are you using IM Manager by any chance?
0
 

Author Comment

by:mperesie
ID: 24317021
We are not using IM Manager with Office Communicator.  We only use Office Communicator for internal IM so security is not that high of a concern.
0
 
LVL 4

Expert Comment

by:BillCarlin
ID: 24320288
Just wanted to rule that out.  Is the account you are logged on with a Domain Admin? Can you post the actual error that is generated?  Depending where it originates from will determine the route to take.(LCS issue vs PKI/CA problem) Did you have someone that handles your Directory Services look at it to rule them out? Are you able to log on to the CA server and browse to the LCS site?
0
 

Author Comment

by:mperesie
ID: 24331653
Live Communications Server was working properly prior to the expiration of the license.  I can't start the LCS server because of the license issue.  If I try to go to the Properties of the node and then the Security tab I get an error stating "Live Communications Server Snap-in cannot read the certificate information, or the certificate is no longer available."

I am positive that I am generating the certificate wrong but I can't find how to generate it properly.  I am running certsrv from the localhost of the LCS server.
0
 
LVL 4

Expert Comment

by:BillCarlin
ID: 24338045
Uninstall the Certificate and try recreating.  Make sure it is removed from IIS before installing again. If you go into the properties of your OCS Server in the admin tools, you should be able to manually force the OCS Server to use a specific certificate.
0
 

Author Comment

by:mperesie
ID: 24454369
I have tried this many more times and I don't think I am properly generating the certificate.  Do you know how I should be generating?
0
 

Accepted Solution

by:
mperesie earned 0 total points
ID: 24477508
I finally figured out what my issue was by contacting Microsoft for some assistance with the generation of the certificate.  I will post what I did in efforts to help anybody else with the same issue.

Load up the certsrv and click Request a Certificate and then go to Advanced Certificate Request and then Create and submit a request to this CA.  On the Advanced Certificate Request you select Web Server as the template and then enter the fully qualified domain name as the name.  Under Key Options you select Store certificate in the local computer certificate store and then click Submit at the bottom.  On the next page you click on Install Certificate.

This process creates and installs the certificate and then you just need to configure LCS to use the certificate.  Then you need to start the Live Communications Server console and expand Servers and right click the server you want to configure then click Properties.  On the Properties screen I right clicked on TLS transport and clicked Edit and on the Edit Connection screen I clicked on the Select Certificate button to select the newly generated certificate.  Also on the main server properties screen I went to the security tab and clicked Select Certificate and selected the new certificate.

Once this was complete I was able to start the LCS service and users could then login.

This issue can be closed.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Know what services you can and cannot, should and should not combine on your server.
Loops Section Overview
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question