How Do I Get The A/V Certificate Installed On The OCS Edge Server?

I've been able to get my Web Conference and Access (SIP) certs installed on the interfaces for the Edge Server.  However for internal we're using the enterprise CA.  I've exported the cert to .CER and .p7b file formats to the Edge Server in the DMZ and have installed the cert into the Trusted Root Certification Authorities store.

I can successfully "process and offline cert request and import the certificate".  Problem is when I try to assign the certificate to the A/V service, it's not visible in the list of available certificates.  I think this is because the EKU flag is not set in the cert (this is what kept me from installing the other certs until I generated a new CSR with that EKU checkbox enabled).

My question is how can I get that certificate to show up?  I can't rebuild the enterprise cert.  Do I just create a new cert with the EKU option checked, just for the A/V server?  if so, how do I do that...step by step.
Who is Participating?
MonterioConnect With a Mentor Author Commented:
AshwinRaj, the Microsoft docos say that the AV interface only needs an internal cert, so I rescinded my request for another Verisgn cert.  I finally got it working.  Hopefully, this will help someone:

Edge Server - in DMZ with no domain membership on three-legged firewall.

1) I took the enterprise CA, exported a copy as a .CER
2) Imported the CA into the local computer cert store on the Edge Server
3) Exported it as a .p7b file
4) Imported the chain from the .p7b file via the OCS wizard
5) Placed it into the "Personal" store
6) Assigned the cert to the A/V interface via the OCS wizard.

Jumped throuh a few hoops, but it was worth it to see the acknowledgemtent from OCS.

If you are trying to assign a Certificate for the Audio Video on the External Interface of the Edge Server then it is recommended to have a Third Party Certificate.

The Certificate from your internal CA is assigned only for the Internal Interface of the Edge Server.

For the Access Edge, Web Conferencing and the A/V Server you should have three different Certificate installed.
The reason being that when any user who tries to access the Edge Server from Internet should authenticate using this Certificate.
So if you are going to give the Internal CA Certificate on the Access Edge or Web Conference or A/V then it means that each Client using which you try to connect from the Internet should also have your Root CA Certificate from your Internal CA Authority in that Client.

Note:- On the Certificate Snap in on your Edge Server the Certificate that you have exported from your Internal CA should be under the Personal Store.

If it is under the Personal Store, only then you would be getting the Option to Assign the Same Certificate on the Edge Server.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

MonterioAuthor Commented:
Okay.  I get it.  I've requested another Verisign cert earlier this morning.  My problem remaining is the interface that points back to the internal network on the Edge server.  That EKU checkbox is not part of the enterprise root CA when it was built (it was done using native Windows Server 2008 Certificate Services).

I can import the cert onto the local machine certificate store (under Trusted Root Certification Authories), but when I use the OCS cert manager to assign it to the A/V interface, the only certs that show up there are the ones I built with the CSR data built from the OCS cert wizard (where the EKU flag has to be set in order for the cert to be viewable in the wizard in the first place).

Hence my question:  I can import the cert via the OCS cert wizard, but wow do I get the enterprise cert viewable since the EKU flag is not set (because the CSR that was used to build the internal cert was created before OCS was a thought in the company)?
MonterioAuthor Commented:
...and yes, the enterprise cert is trusted.
MonterioAuthor Commented:
I should also add that I have successfully imported the certificate chain from the enterprise root CA's .p7b file.  It successfully imports into the certificate store (according to OCS) but the cert is still not viewable when I attempt to "assign an existing cert".  This is why I believe it has to do with EKU flag.  I had this same problem when I generated the CSR for the certs on the web and sip interfaces for the verisign certs.  I had to generate new CSRs with the EKU flag set, and then after getting the cert back from Verisign was I able to see the certs.  This is what I think my problem is for the internal cert.

Problem is how do I fix it so that the enterprise cert shows up when I assign it to the internal interface??
Yes you can use the Certificate Wizard from the OCS Admin Console to create the Certificate for the Edge Server.

And there you will have the option of "Include client EKU in the certificate request".

Check the same.

Now another thing i would like to know is.

On the Edge Server open the Certificate Snap-In.
Expand -> Certificate (Local COmputer) -> Personal -> Certificates.
Here the Certificate you want to assign should be listed.

Please check the same and make sure that the certificate is listed there. Only then we would be able to see the same listed on the Certificate Wizard when we try to assign the same.
MonterioAuthor Commented:
Negative, Ghost Rider.  I can see the certificate via the Certs console in the MMC.  However, OCS doesn't see it.  I'm trying back shortly.
MonterioAuthor Commented:
Great to know that the Issue is Resolved.

Sorry for the Confusion on the Edge Server A/V.
You are right on the part of Internal Certificate.

When we have the Certificate Listed on the Personal Store and not on the Trusted Root CA Store we will be able to assign the Same Cert from the OCS Console.
MonterioAuthor Commented:
AshwinRaj was incorrect in stating that an internal cert should be used on the A/V interface.  It goes against Microsoft's recommendation for implementing the AV portion of the Edge server.

No one really answered my question but did make some observations (of which I already knew).  Going back and figuring out how to fanagle my way around the cert creation was the only way I'd get my solution in a timely manner.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.