Federation and/or PIC may fail against partners using 2048-bit signed Root CAs
Summary:
You may find that OCS 2007 / OCS 2007 R2's Federation and/or PIC fails against partners who do not support Entrust root certificates signed using a 2048-bit public key.
For example, the "broken" certificate chain may resemble the following:
Edge server's certificate -> Entrust L1B chain -> Entrust 2048 Root
Workaround:
For Federated partners who do not support the 2048-bit Root, you can introduce an additional chain certificate which points back to the Entrust 1024-bit root. The chain of authority would then be as follows:
Edge server's certificate -> Entrust L1B chain -> Entrust 2048 chain -> Entrust 1024 Root
To accomplish this, you will be replacing the Entrust 2048 Root certificate with the attached Entrust 2048 chain certificate.
Here are the steps to follow:
1. Start up your MMC console and add the Certificates snap-in for your server's Computer Account.
2. Under "Trusted Root Certification Authorities/Certificates," remove the Entrust.net Certification Authorities (2048) certificate.
3. Ensure you have the Entrust.net Secure Server Certification Authority certificate under the same Trusted Roots folder.
4. Under "Intermediate Certification Authorities/Certificates," import the attached Entrust.net Certification Authorities (2048) chain certificate as follows:
i. Save the attached "2048-to-1024-Cross-Cert.txt" 2048 chain certificate as a *.crt file.
ii. In MMC, expand the Intermediate Certification Authorities folder.
iii. Right-click on Certificates and select All Tasks -> Import
iv. Follow the resulting Certificate Import Wizard to import the 2048 chain certificate into the Intermediate Certification Authorities store.
5. Check to make sure you have two Entrust Certificates under Intermediate Certification Authorities/Certificates: The Entrust Certification Authority - L1B and the Entrust.net Certificate Authority (2048).
Credits:
Many thanks to Jimmy Levesque and Mark Giannotti in ECS Technical Support at Entrust Certificate Services for this information!
Update (December 10, 2009):
We have successfully tested & validated that communicating with AOL via PIC (using a certificate rooted against a CA that is signed with 2048 bits) works properly.
Comments
Anonymous
July 14, 2009
"For Federated partners who do not support the 2048-bit Root" Could you write requirements to support 2048-bit Root for certificates. As I understand, it could be only if OS does not have latest updates or certificates update isdisabled. http://www.entrust.net/knowledge-base/technote.cfm?tn=7740 In this case, another solution is import right root cert to trusted root certs or update certificetes.Anonymous
July 15, 2009
@Alexander: You're exactly right; the server simply needs the 2048-bit Root installed. However, you may find that certain PIC providers (and/or Federated partners) do not have this installed. Thanks, Scott OseychikAnonymous
July 21, 2009
You mentioned PIC providers may not have this installed. Do you know of any examples of this? We are having some issues with AOL connectivity on R2. We have ensured that AOL root certs are up to date and have implemented your suggested change to SSL configuration with no luck.Anonymous
July 22, 2009
We are having a problem with AOL as well. Do we need to have the certs installed on the edge? Do we just use 1 or both of them? We are using R2 as well. MSN and Yahoo are working fine.Anonymous
July 22, 2009
It seems a few of our customers are running into issues w/PIC against AOL ... while I encourage you all to engage the Unified Communications Support Team via Microsoft Customer Support Services (http://support.microsoft.com), in the meantime, let's try & identify some common denominators:
- Has it ever worked? If so, when did it stop working?
- What version of OCS?
- What version of Windows?
- Have you installed the AOL Root CAs & modified the cipher suites (if on SRV08) ... see my previous blog entries. Thanks, Scott Oseychik p.s. Responses will be delayed; at the MGX conference in Atlanta
- Anonymous
February 18, 2010
Would this work for godaddy certs as well? If so, which certs would I need to download/remove/import?