Configuring a Certificate for Mediation Server
Topic Last Modified: 2009-03-06
The Mediation Server must be configured with a server certificate to connect to other Office Communications Servers. This topic describes the following procedures that you must perform to configure a certificate for Mediation Server:
- Step 1: Download the certification authority (CA) certificate chain for the Mediation Server.
- Step 2: Install the CA certificate chain for the Mediation Server.
- Step 3: Verify that the CA is in the list of trusted root CAs of the Mediation Server.
- Step 4: Create the certificate request for the Mediation Server.
- Step 5: Import the certificate for the Mediation Server.
- Step 6: Assign the certificate for the Mediation Server.
You can use the Communications Certificate Wizard to complete most of these procedures. These procedures describe how to access the Communications Certificate Wizard from the Office Communications Server 2007 R2 Deployment Wizard. You can also access it from the Office Communications Server 2007 R2 snap-in on each Mediation Server.
The steps of these procedures are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CAs, consult the documentation of the CA.
To download the CA certificate chain for the Mediation Server
With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server online, log on to the Mediation Server as a member of the RTCUniversalServerAdmins group.
Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and then click OK.
Under Select a task, click Download a CA certificate, certificate chain, or CRL.
Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.
In the File Download dialog box, click Save.
Save the .p7b file to the hard disk on the server, and then copy it to a folder on the Mediation Server.
Note
If you open this file, the file contains all of the certificates that are in the certification path. To view the certification path, open the server certificate and then click the certification path.
To install the CA certificate chain for the Mediation Server
In the Deployment Wizard, click Deploy Other Server Roles, and then click Deploy Mediation Server.
On the Deploy Mediation Server page, next to Step 4 Configure Certificates, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available certificate tasks page, click Import a certificate chain from a .p7b file, and then click Next.
On Import Certificate Chain page, click Browse to locate the .p7b file, click the file, and then click Next.
Click Finish.
To verify that your CA is in the list of trusted root CAs
Open an MMC console by clicking Start, clicking Run, typing mmc in the Open box, and then clicking OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-ins box, click Certificates, and then click Add.
In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
In the details pane, verify that your CA is on the list of trusted CAs.
To create the certificate request for the Mediation Server
In Deployment Wizard, on the Deploy Mediation Server page, next to Step 3, Configure Certificates for the Mediation Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
Note
If you already have a certificate available, click Assign an Existing Certificate and continue with steps 3 through 7 in the procedure To Assign the Certificate to the Mediation Server later in this topic.
On the Delayed or Immediate Request page, select one of the following options:
If you intend to output your request to a text file and then send that file to an offline CA, select the Prepare the request now, but send later check box, and then click Next.
Note
If you choose this option, you have to import the certificate and assign it to the Mediation Server later.
If you want to send the request immediately, select the Send the request immediately to an online CA check box, and then click Next.
On the Name and Security Settings page, type a friendly name for the certificate, and specify the bit length (typically, the default of 1024), select the Mark certificate as exportable check box, and then click Next.
On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department), and then click Next.
On the Your Server's Subject Name page, type or select the subject name and subject alternate name of the Mediation Server.
Note
The subject name should match the FQDN of the Mediation Server.
If your deployment includes multiple SIP domain names, in Subject alternate name, type the same name that you typed in Subject name, and then click Add. Type each additional SIP domain name, separating each name with a comma.Click Next.
On the Geographical Information page, type the location information, and then click Next.
The next page you see depends on which option you chose in Step 4:
- If you selected Send the request immediately to an online CA in Step 4, select your CA from the list or type the name of your CA in the Certification Authority box. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, click OK, and then click Next.
- If you selected Prepare the request now but send later in Step 4, type the file name and path to which the request is to be saved, and then click Next. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it is available for import.
On the Request Summary page, click Next.
On the Certificate Wizard Completed page, verify successful completion, and then click Finish.
Note
If you obtained your certificate from an online CA skip the next procedure and proceed directly to the procedure that follows it, entitled "To assign the certificate to the Mediation Server."
To import the certificate for the Mediation Server
In Deployment Wizard, on the Deploy Mediation Server page, next to Step 4, Configure Certificates, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Pending certificate tasks page, click Process a pending request and import the certificate, and then click Next.
In the Path and file name box, type the full path and file name of the certificate that you requested for the Mediation Server, and then click Next.
On the wizard completion page, verify successful completion, and the click Finish.
To assign the certificate to the Mediation Server
In the Deployment Wizard, on the Deploy Mediation Server page, next to Step 4, Configure Certificates, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available certificate tasks page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate that you requested for the Mediation Server, and then click Next.
Review your settings, and then click Next.
On the Certificate Wizard Completed page, click Finish.