Problems with certificate OCS 2007


I have the following problem:

I've set up a new clean lab environment. In this environment I have a windows 2003 R2 active directory server, Exchange 2007 server, SQL2005 server. On the active directory server I installed the role of Certificate Authority. Beside these servers I started setting up an OCS 2007 environment.

I installed the front end, requested the certificates for it trough the web interface of my CA and assigned the certificates. No errors there. I created 5 test users, sip-enabled them and they are visible in my OCS front end and configured.

When I try to logon with one of the users I get the following error :
There was a problem verifying the certificate from the server. Please contact your system administrator.

Now what I do trying to solve this problem :
I expored the certificate of the CA with it's private key and imported it on my front end and test computer in the directory trusted root certificate authorities.
This did not solve the problem.

When you run the connectivity test of the OCS deployment process you get the error that the port 5061 is not available on my front end. However when I start a telnet session to my front end using this port I get a response.
When you open your browser and go to https://poolname:5061 you also get a response from the browser that he does not thrust the issuer of the certificate.

What could be the problem. I already checked the links to make sure that I did not miss a step in the process of setting up my CA but this all seems to be fine.

Hope someone can help me.

Thanks in advance
Who is Participating?
The Certificate on the Front End server servers two purposes. It provides MTLS authentcition between it and other servers connecting which is based on the FQDN of the server itself, i.e. servername.domain.sufix.

When users connect to the Front End server they are connecting using the their SIP URI, e.g. user@domain.suffix. In some cases the SIP domain suffix is different from the acutal domain suffix. In our case for example users sign-in using their email address, wheras our internal domain is

This may not be the case in your situation, but if it is then you need to addd the SIP domain as a Subject Alternate Name (SAN) when you use the wizard to create the certificates.

It would also be wise to run the Validation wizard on the Front End server to see if you get any errors.

Hope this helps.
In addition you need to have the root certificate imported into the local computer trusted roots certification authorities store on the workstation(s).
If the CA you installed was not active directory integrated (Enterprise CA) which is only available in Enterprise Edition of WIndows then Root Certificate enrollment does not happen automatically.  You'll need to publish the Root Certificate in AD using DSPublish and enable automatic enrollment in the domain group policy.
o-tvw-eeAuthor Commented:
Thanks guys for the response due to lack of time I was not able yet to try it out. I will implement it one of the following days and give you feedback.
Ahmed ShahbaSystem ArchitectCommented:

You first need Certificate with SN=Pool FQDN and SAN=Front-end server FQDN , , and this use for  (M)TLS authentication between pool servers and Communicator clients.

and this certificate SN match Internal Web Farm FQDN (same as Pool FQDN) you entered during creating the pool .So you need to IIS on Front End server and assign this certificate with Default Web site .

If you do above , sure you will get everything is fine and also no need to import local CA to machines , since they already join your domain and automatically has this certificate.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.