Obtaining Certificates for Group Chat Server
Topic Last Modified: 2010-04-14
You must have a certificate issued by the same certification authority (CA) as the one used by Office Communications Server 2007 R2 internal servers for each server running Lookup service, Channel service, Web service, and Compliance service. Obtain the required certificate(s) before you start Microsoft Office Communications Server 2007 R2 Group Chat, especially if you are using an external CA.
You can use the procedures in this topic to obtain a certificate by using an internal enterprise CA and Certificate Services.
To download the CA certification path
With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA server online, sign in to your Group Chat Server by clicking Start, clicking Run, typing http://<name of your Issuing CA Server>/certsrv, and then clicking OK.
In the Select a task box, click Download a CA certificate, certificate chain, or CRL.
In Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.
In the File Download dialog box, click Save.
Save the .p7b file on a drive on your server. If you open this .p7b file, the chain contains the following two certificates:
- <name of Enterprise root CA> certificate
- <name of Enterprise subordinate CA> certificate
To install the CA certification path
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
On the Available Standalone Snap-ins list, click Certificates, and then click Add.
Click Computer account, and then click Next.
In the Select Computer dialog box, click Local computer (the computer this console is running on), and then click Finish.
Click Close, and then click OK.
In the console tree of the Certificates snap-in, expand Certificates (Local Computer).
Expand Trusted Root Certification Authorities.
Right-click Certificates, point to All Tasks, and then click Import.
In the Import Wizard, click Next.
Click Browse, navigate to where you saved the certification chain, click the p7b file, and then click Open.
Click Next.
Accept the default value Place all certificates in the following store and verify that Trusted Root Certification Authorities appears under the Certificate store.
Click Next.
Click Finish.
To request a certificate
Open a Web browser, type http://<name of your Issuing CA server>/certsrv, and then press ENTER.
Click Request a Certificate.
Click Advanced certificate request.
Click Create and submit a request to this CA.
In Certificate Template, select the Web server template.
In Identifying Information for Offline Template, in Name, type the fully qualified domain name (FQDN) of the server.
In Key Options, in CSP, click Microsoft RSA SChannel Cryptographic Provider.
Select the Store certificate in the local computer check box.
Click Submit.
In the Potential Scripting Violation dialog box, click Yes.
To install the certificate on the computer
Click Install this certificate.
In the Potential Scripting Violation dialog box, click Yes.
To manually approve a certificate issuance request after the request is made
Log on as a member of the Domain Admins group to the Enterprise subordinate CA server.
Click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
Click Add.
In Add Standalone Snap-in, click Certification Authority, and then click Add.
In Certification Authority, click Local computer (the computer this console is running on).
Click Finish.
Click Close, and then click OK.
In the Microsoft Management Console (MMC), expand Certification Authority, and then expand your issuing certificate server.
Click Pending request.
In the details pane, right-click the request identified by its request ID, point to All Tasks, and then click Issue.
On the server from which you requested the certificate, click Start, and then click Run.
Type http://<name of your Issuing CA Server>/certsrv, and then click OK.
In the Select a task box, click View the status of a pending certificate request.
In the View the Status of a Pending Certificate Request, click your request.
Click Install this certificate.
Verify that the certification authority (CA) certificate chain that grants trust for certificates issued from your CA has been installed at the following location: console root/certificates (local computer)/trusted root certificate authorities/certificates. This chain contains the Root CA certificate.