Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How Do I Get The A/V Certificate Installed On The OCS Edge Server?

Posted on 2010-11-23
11
Medium Priority
?
1,118 Views
Last Modified: 2013-11-29
I've been able to get my Web Conference and Access (SIP) certs installed on the interfaces for the Edge Server.  However for internal we're using the enterprise CA.  I've exported the cert to .CER and .p7b file formats to the Edge Server in the DMZ and have installed the cert into the Trusted Root Certification Authorities store.

I can successfully "process and offline cert request and import the certificate".  Problem is when I try to assign the certificate to the A/V service, it's not visible in the list of available certificates.  I think this is because the EKU flag is not set in the cert (this is what kept me from installing the other certs until I generated a new CSR with that EKU checkbox enabled).

My question is how can I get that certificate to show up?  I can't rebuild the enterprise cert.  Do I just create a new cert with the EKU option checked, just for the A/V server?  if so, how do I do that...step by step.
0
Comment
Question by:Monterio
  • 7
  • 4
11 Comments
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34204869

If you are trying to assign a Certificate for the Audio Video on the External Interface of the Edge Server then it is recommended to have a Third Party Certificate.

The Certificate from your internal CA is assigned only for the Internal Interface of the Edge Server.

For the Access Edge, Web Conferencing and the A/V Server you should have three different Certificate installed.
The reason being that when any user who tries to access the Edge Server from Internet should authenticate using this Certificate.
So if you are going to give the Internal CA Certificate on the Access Edge or Web Conference or A/V then it means that each Client using which you try to connect from the Internet should also have your Root CA Certificate from your Internal CA Authority in that Client.
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34204883

Note:- On the Certificate Snap in on your Edge Server the Certificate that you have exported from your Internal CA should be under the Personal Store.

If it is under the Personal Store, only then you would be getting the Option to Assign the Same Certificate on the Edge Server.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205428
Okay.  I get it.  I've requested another Verisign cert earlier this morning.  My problem remaining is the interface that points back to the internal network on the Edge server.  That EKU checkbox is not part of the enterprise root CA when it was built (it was done using native Windows Server 2008 Certificate Services).

I can import the cert onto the local machine certificate store (under Trusted Root Certification Authories), but when I use the OCS cert manager to assign it to the A/V interface, the only certs that show up there are the ones I built with the CSR data built from the OCS cert wizard (where the EKU flag has to be set in order for the cert to be viewable in the wizard in the first place).

Hence my question:  I can import the cert via the OCS cert wizard, but wow do I get the enterprise cert viewable since the EKU flag is not set (because the CSR that was used to build the internal cert was created before OCS was a thought in the company)?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:Monterio
ID: 34205436
...and yes, the enterprise cert is trusted.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34205491
I should also add that I have successfully imported the certificate chain from the enterprise root CA's .p7b file.  It successfully imports into the certificate store (according to OCS) but the cert is still not viewable when I attempt to "assign an existing cert".  This is why I believe it has to do with EKU flag.  I had this same problem when I generated the CSR for the certs on the web and sip interfaces for the verisign certs.  I had to generate new CSRs with the EKU flag set, and then after getting the cert back from Verisign was I able to see the certs.  This is what I think my problem is for the internal cert.

Problem is how do I fix it so that the enterprise cert shows up when I assign it to the internal interface??
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34206068
Yes you can use the Certificate Wizard from the OCS Admin Console to create the Certificate for the Edge Server.

And there you will have the option of "Include client EKU in the certificate request".

Check the same.

Now another thing i would like to know is.

On the Edge Server open the Certificate Snap-In.
Expand -> Certificate (Local COmputer) -> Personal -> Certificates.
Here the Certificate you want to assign should be listed.

Please check the same and make sure that the certificate is listed there. Only then we would be able to see the same listed on the Certificate Wizard when we try to assign the same.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34206152
Negative, Ghost Rider.  I can see the certificate via the Certs console in the MMC.  However, OCS doesn't see it.  I'm trying something...be back shortly.
0
 
LVL 1

Accepted Solution

by:
Monterio earned 0 total points
ID: 34208507
AshwinRaj, the Microsoft docos say that the AV interface only needs an internal cert, so I rescinded my request for another Verisgn cert.  I finally got it working.  Hopefully, this will help someone:

Configuration:
Edge Server - in DMZ with no domain membership on three-legged firewall.

1) I took the enterprise CA, exported a copy as a .CER
2) Imported the CA into the local computer cert store on the Edge Server
3) Exported it as a .p7b file
4) Imported the chain from the .p7b file via the OCS wizard
5) Placed it into the "Personal" store
6) Assigned the cert to the A/V interface via the OCS wizard.

Jumped throuh a few hoops, but it was worth it to see the acknowledgemtent from OCS.
0
 
LVL 1

Author Comment

by:Monterio
ID: 34208524
Ditto
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34208811
Great to know that the Issue is Resolved.

Sorry for the Confusion on the Edge Server A/V.
You are right on the part of Internal Certificate.

When we have the Certificate Listed on the Personal Store and not on the Trusted Root CA Store we will be able to assign the Same Cert from the OCS Console.
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 34228768
AshwinRaj was incorrect in stating that an internal cert should be used on the A/V interface.  It goes against Microsoft's recommendation for implementing the AV portion of the Edge server.

No one really answered my question but did make some observations (of which I already knew).  Going back and figuring out how to fanagle my way around the cert creation was the only way I'd get my solution in a timely manner.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question