Archive for March 16th, 2011

OCS 2007 R2 Certificates

Scripting, Servers March 16th, 2011

Situation:

Some of our internal certificates for OCS were coming due for replacement.  I did a simple web search for “Find all certificates for Office Communication Server 2007 R2” and I got very little help..

And of course, OCS does not support wildcard certs Sad smile (but does take wildcards in Subject Alternative Names (SAN).. go figure..)

So for those who just want a reference of what certs are used where.. (Subject Name (SN) and Common Name (CN) are used somewhat interchangeably.. Common Name is the most import item to OCS)

Outcome (it’s not pretty folks…):

I give you (working from the outside in):

  1. Edge Server

    1. Description:
      1. The first cert needed is a Web Conferencing Edge Server. 
      2. SAN Required – No.
      3. These are public facing certs, so you’ll likely want to get these from a cert provider.
      4. Even if you are issuing them yoursefl, you’ll notice that these cert requests are generated offline, as the edge server is usually in a restricted portion of the DMZ without direct access to your internal CA.
    2. Example:
      1. SN: webconf.mindofroot.com
    3. Command:
      1. To create the cert request: LcsCmd /cert /action:request /friendlyname:”Web Conference Edge” /sn:webconf.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\webedge.req” /L
      2. To import the response: LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:DP /L
    4. Description:
      1. The second cert required is for Audio/Video Authentication Edge Server.
      2. SAN Required – No.
      3. This is used for internal communication to the rest of the OCS infrastructure.
      4. If you are using an internal cert, you will have to install the certs on the cert chain as well to make them trusted on this server.
    5. Example:
      1. SN: av.mindofroot.com
    6. Command:
      1. LcsCmd /cert /action:request /friendlyname:”AV Edge” /sn:av.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\avedge.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:MR /L
    7. Description:
      1. The third cert is required for the Internal Edge. 
      2. SAN Required – No.
      3. This is for encrypting and decrypting traffic between external clients and the “next hop” server (usually the director or pool).
      4. This can be an internally issued cert.
    8. Example:
      1. SN: internaledge.internal.mindofroot.com
    9. Command:
      1. LcsCmd /cert /action:request /friendlyname:”Internal Edge” /sn:internaledge.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\internaledge.req” /L

      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:INTERNAL /L

    10. Description:
      1. The fourth cert required covers the Access Edge.
      2. SAN Required: Possible, if there are additional domains covered for external access.
      3. This is for the default SIP.yourdomain.com address.
    11. Example:
      1. SN: sip.mindofroot.com
      2. SAN: sip.acoupleofadmins.com
    12. Command:
      1. LcsCmd /cert /action:request /friendlyname:”Access Edge” /sn:sip.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:sip.mindofroot.com, sip.acoupleofadmins.com /fileName:”C:\CertHold\accessedge.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\accessedge.cer” /assign /Components:AP /L

  2. Reverse Proxy

    1. Description:
      1. The Reverse Proxy provides a way for external users to access content, expand address lists, and otherwise do things require more access.
      2. SAN Required – Maybe.
    2. Example:
      1. SN: ocsweb.mindofroot.com
    3. Command:
      1. LcsCmd /cert /action:request /friendlyname:”Web Proxy External” /sn:ocsweb.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\webproxyext.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /L
  3. CWA Server

    1. Description:
      1. The CWA certificate supports IM, PSTN call in, desktop sharing, etc..
      2. SAN Required – Yes.
      3. Note – The DNS name cwa.yourdomain.com might be behind a reverse proxy.. in that case, you might need two certs (an internal and a public cert).
    2. Example:
      1. SN: cwa.mindofroot.com
      2. SAN: im.mindofroot.com, cwa.acoupleofadmins.com, im.acoupleofadmins.com
    3. Command:
      1. LcsCmd /cert /action:request /online:false /friendlyname:”CWA” /sn:cwa.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san: im.mindofroot.com, cwa.acoupleofadmins.com, im.acoupleofadmins.com /fileName:”C:\CertHold\CWAext.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CWAResponse.cer” /assign:true /L
  4. Director

    1. Description:
      1. SN set to the FQDN of the director.
      2. SAN Required – Yes, set to the SIP DNS for each domain. 
    2. Example:
      1. SN: director.internal.mindofroot.com
      2. SAN: sip.mindofroot.com
    3. Command:
      1. LcsCmd /Cert /Action:request /online:true /assign:true /ca:MOR-CA.internal.mindofroot.com\MOR-CA /caAccount:MOR\Admin /caPassword:P@ssword1 /friendlyname:”MOR-Director SIP”/sn:director.internal.mindofroot.com /OU: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:*.mindofroot.com /L
  5. Mediation Server

    1. Description:
      1. The Mediation Server coordinates enterprise voice traffic
      2. SAN Required – No.
    2. Example:
      1. SN: mediation.mindofroot.com
    3. Command:
      1. LcsCmd /cert /action:request /online:true /friendlyname:Mediation Server /sn:mediation.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\mediation.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /L
  6. Front End Server

    1. Description:
      1. SN set to the FQDN of the enterprise pool name or server. 

      2. SAN Required – Yes, set to any alternative DNS names for the pool and server. 
    2. Example:
      1. SN: pool1.intranet.mindofroot.com
      2. SAN: pool1.mindofroot.com, sip.mindofroot.com, myfrontendserver.intranet.mindofroot.com
    3. Command:
      1. LcsCmd /Cert /Action:request /online:true /assign:true /ca:MOR-CA.internal.mindofroot.com\MOR-CA /caAccount:MOR\Admin /caPassword:P@ssword1 /friendlyname:“MOR-FE Front End SIP” /sn:pool01.internal.mindofroot.com /OU: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:*.mindofroot.com, myfrontendserver.intranet.mindofroot.com /L
  7. Group Chat

    1. Description:

      1. The Group Chat cert should reference the DNS for the Group Chat server.
      2. SAN required – Maybe, if you have multiple DNS entries for group chat.
    2. Example:
      1. SN: groupchat.mindofroot.com
      2. SAN: groupchat.acoupleofadmins.com
    3. Command:
      1. LcsCmd /cert /action:request /online:true /friendlyname:”Group Chat Server” /sn:groupchat.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:groupchat.mindofroot.com.com, groupchat.acoupleofadmins.com /enableClientEKU:TRUE /fileName:”C:\CertHold\groupchat.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /L
blank