Solved

How Do I Get The A/V Certificate Installed On The OCS Edge Server?

Posted on 2010-11-23
11
1,084 Views
Last Modified: 2013-11-29
I've been able to get my Web Conference and Access (SIP) certs installed on the interfaces for the Edge Server.  However for internal we're using the enterprise CA.  I've exported the cert to .CER and .p7b file formats to the Edge Server in the DMZ and have installed the cert into the Trusted Root Certification Authorities store.

I can successfully "process and offline cert request and import the certificate".  Problem is when I try to assign the certificate to the A/V service, it's not visible in the list of available certificates.  I think this is because the EKU flag is not set in the cert (this is what kept me from installing the other certs until I generated a new CSR with that EKU checkbox enabled).

My question is how can I get that certificate to show up?  I can't rebuild the enterprise cert.  Do I just create a new cert with the EKU option checked, just for the A/V server?  if so, how do I do that...step by step.
0
Comment
Question by:Monterio
  • 7
  • 4
11 Comments
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34204869

If you are trying to assign a Certificate for the Audio Video on the External Interface of the Edge Server then it is recommended to have a Third Party Certificate.

The Certificate from your internal CA is assigned only for the Internal Interface of the Edge Server.

For the Access Edge, Web Conferencing and the A/V Server you should have three different Certificate installed.
The reason being that when any user who tries to access the Edge Server from Internet should authenticate using this Certificate.
So if you are going to give the Internal CA Certificate on the Access Edge or Web Conference or A/V then it means that each Client using which you try to connect from the Internet should also have your Root CA Certificate from your Internal CA Authority in that Client.
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34204883

Note:- On the Certificate Snap in on your Edge Server the Certificate that you have exported from your Internal CA should be under the Personal Store.

If it is under the Personal Store, only then you would be getting the Option to Assign the Same Certificate on the Edge Server.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205428
Okay.  I get it.  I've requested another Verisign cert earlier this morning.  My problem remaining is the interface that points back to the internal network on the Edge server.  That EKU checkbox is not part of the enterprise root CA when it was built (it was done using native Windows Server 2008 Certificate Services).

I can import the cert onto the local machine certificate store (under Trusted Root Certification Authories), but when I use the OCS cert manager to assign it to the A/V interface, the only certs that show up there are the ones I built with the CSR data built from the OCS cert wizard (where the EKU flag has to be set in order for the cert to be viewable in the wizard in the first place).

Hence my question:  I can import the cert via the OCS cert wizard, but wow do I get the enterprise cert viewable since the EKU flag is not set (because the CSR that was used to build the internal cert was created before OCS was a thought in the company)?
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205436
...and yes, the enterprise cert is trusted.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205491
I should also add that I have successfully imported the certificate chain from the enterprise root CA's .p7b file.  It successfully imports into the certificate store (according to OCS) but the cert is still not viewable when I attempt to "assign an existing cert".  This is why I believe it has to do with EKU flag.  I had this same problem when I generated the CSR for the certs on the web and sip interfaces for the verisign certs.  I had to generate new CSRs with the EKU flag set, and then after getting the cert back from Verisign was I able to see the certs.  This is what I think my problem is for the internal cert.

Problem is how do I fix it so that the enterprise cert shows up when I assign it to the internal interface??
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34206068
Yes you can use the Certificate Wizard from the OCS Admin Console to create the Certificate for the Edge Server.

And there you will have the option of "Include client EKU in the certificate request".

Check the same.

Now another thing i would like to know is.

On the Edge Server open the Certificate Snap-In.
Expand -> Certificate (Local COmputer) -> Personal -> Certificates.
Here the Certificate you want to assign should be listed.

Please check the same and make sure that the certificate is listed there. Only then we would be able to see the same listed on the Certificate Wizard when we try to assign the same.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34206152
Negative, Ghost Rider.  I can see the certificate via the Certs console in the MMC.  However, OCS doesn't see it.  I'm trying something...be back shortly.
0
 
LVL 1

Accepted Solution

by:
Monterio earned 0 total points
ID: 34208507
AshwinRaj, the Microsoft docos say that the AV interface only needs an internal cert, so I rescinded my request for another Verisgn cert.  I finally got it working.  Hopefully, this will help someone:

Configuration:
Edge Server - in DMZ with no domain membership on three-legged firewall.

1) I took the enterprise CA, exported a copy as a .CER
2) Imported the CA into the local computer cert store on the Edge Server
3) Exported it as a .p7b file
4) Imported the chain from the .p7b file via the OCS wizard
5) Placed it into the "Personal" store
6) Assigned the cert to the A/V interface via the OCS wizard.

Jumped throuh a few hoops, but it was worth it to see the acknowledgemtent from OCS.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34208524
Ditto
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34208811
Great to know that the Issue is Resolved.

Sorry for the Confusion on the Edge Server A/V.
You are right on the part of Internal Certificate.

When we have the Certificate Listed on the Personal Store and not on the Trusted Root CA Store we will be able to assign the Same Cert from the OCS Console.
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 34228768
AshwinRaj was incorrect in stating that an internal cert should be used on the A/V interface.  It goes against Microsoft's recommendation for implementing the AV portion of the Edge server.

No one really answered my question but did make some observations (of which I already knew).  Going back and figuring out how to fanagle my way around the cert creation was the only way I'd get my solution in a timely manner.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Consider a situation when you deploy a seemingly harmless software package to your network without testing and therefore without fully knowing the implications of your actions. I was recently involved in just this situation when a corporate IT netwo…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now