Solved

How Do I Get The A/V Certificate Installed On The OCS Edge Server?

Posted on 2010-11-23
11
1,109 Views
Last Modified: 2013-11-29
I've been able to get my Web Conference and Access (SIP) certs installed on the interfaces for the Edge Server.  However for internal we're using the enterprise CA.  I've exported the cert to .CER and .p7b file formats to the Edge Server in the DMZ and have installed the cert into the Trusted Root Certification Authorities store.

I can successfully "process and offline cert request and import the certificate".  Problem is when I try to assign the certificate to the A/V service, it's not visible in the list of available certificates.  I think this is because the EKU flag is not set in the cert (this is what kept me from installing the other certs until I generated a new CSR with that EKU checkbox enabled).

My question is how can I get that certificate to show up?  I can't rebuild the enterprise cert.  Do I just create a new cert with the EKU option checked, just for the A/V server?  if so, how do I do that...step by step.
0
Comment
Question by:Monterio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34204869

If you are trying to assign a Certificate for the Audio Video on the External Interface of the Edge Server then it is recommended to have a Third Party Certificate.

The Certificate from your internal CA is assigned only for the Internal Interface of the Edge Server.

For the Access Edge, Web Conferencing and the A/V Server you should have three different Certificate installed.
The reason being that when any user who tries to access the Edge Server from Internet should authenticate using this Certificate.
So if you are going to give the Internal CA Certificate on the Access Edge or Web Conference or A/V then it means that each Client using which you try to connect from the Internet should also have your Root CA Certificate from your Internal CA Authority in that Client.
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34204883

Note:- On the Certificate Snap in on your Edge Server the Certificate that you have exported from your Internal CA should be under the Personal Store.

If it is under the Personal Store, only then you would be getting the Option to Assign the Same Certificate on the Edge Server.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205428
Okay.  I get it.  I've requested another Verisign cert earlier this morning.  My problem remaining is the interface that points back to the internal network on the Edge server.  That EKU checkbox is not part of the enterprise root CA when it was built (it was done using native Windows Server 2008 Certificate Services).

I can import the cert onto the local machine certificate store (under Trusted Root Certification Authories), but when I use the OCS cert manager to assign it to the A/V interface, the only certs that show up there are the ones I built with the CSR data built from the OCS cert wizard (where the EKU flag has to be set in order for the cert to be viewable in the wizard in the first place).

Hence my question:  I can import the cert via the OCS cert wizard, but wow do I get the enterprise cert viewable since the EKU flag is not set (because the CSR that was used to build the internal cert was created before OCS was a thought in the company)?
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 1

Author Comment

by:Monterio
ID: 34205436
...and yes, the enterprise cert is trusted.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205491
I should also add that I have successfully imported the certificate chain from the enterprise root CA's .p7b file.  It successfully imports into the certificate store (according to OCS) but the cert is still not viewable when I attempt to "assign an existing cert".  This is why I believe it has to do with EKU flag.  I had this same problem when I generated the CSR for the certs on the web and sip interfaces for the verisign certs.  I had to generate new CSRs with the EKU flag set, and then after getting the cert back from Verisign was I able to see the certs.  This is what I think my problem is for the internal cert.

Problem is how do I fix it so that the enterprise cert shows up when I assign it to the internal interface??
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34206068
Yes you can use the Certificate Wizard from the OCS Admin Console to create the Certificate for the Edge Server.

And there you will have the option of "Include client EKU in the certificate request".

Check the same.

Now another thing i would like to know is.

On the Edge Server open the Certificate Snap-In.
Expand -> Certificate (Local COmputer) -> Personal -> Certificates.
Here the Certificate you want to assign should be listed.

Please check the same and make sure that the certificate is listed there. Only then we would be able to see the same listed on the Certificate Wizard when we try to assign the same.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34206152
Negative, Ghost Rider.  I can see the certificate via the Certs console in the MMC.  However, OCS doesn't see it.  I'm trying something...be back shortly.
0
 
LVL 1

Accepted Solution

by:
Monterio earned 0 total points
ID: 34208507
AshwinRaj, the Microsoft docos say that the AV interface only needs an internal cert, so I rescinded my request for another Verisgn cert.  I finally got it working.  Hopefully, this will help someone:

Configuration:
Edge Server - in DMZ with no domain membership on three-legged firewall.

1) I took the enterprise CA, exported a copy as a .CER
2) Imported the CA into the local computer cert store on the Edge Server
3) Exported it as a .p7b file
4) Imported the chain from the .p7b file via the OCS wizard
5) Placed it into the "Personal" store
6) Assigned the cert to the A/V interface via the OCS wizard.

Jumped throuh a few hoops, but it was worth it to see the acknowledgemtent from OCS.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34208524
Ditto
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34208811
Great to know that the Issue is Resolved.

Sorry for the Confusion on the Edge Server A/V.
You are right on the part of Internal Certificate.

When we have the Certificate Listed on the Personal Store and not on the Trusted Root CA Store we will be able to assign the Same Cert from the OCS Console.
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 34228768
AshwinRaj was incorrect in stating that an internal cert should be used on the A/V interface.  It goes against Microsoft's recommendation for implementing the AV portion of the Edge server.

No one really answered my question but did make some observations (of which I already knew).  Going back and figuring out how to fanagle my way around the cert creation was the only way I'd get my solution in a timely manner.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question