Comments on: Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate Authority)

By: The OCS 2007 Automatic Sign-In Troubleshooting Tool V1.0 « Inside OCS

The OCS 2007 Automatic Sign-In Troubleshooting Tool V1.0 « Inside OCS — Wed, 29 Jul 2009 16:24:58 +0000

[...] Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate… Possibly related posts: (automatically generated)Automatic Office Communicator Sign-In (Part 1 – The Correct DNS Service L… [...]

By: Automatic Office Communicator Sign-In (Part 1 – The Correct DNS Service Location (SRV) Record) « Inside OCS

Fri, 24 Jul 2009 21:36:51 +0000

[...] Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate… [...]

By: DNS Records and Office Communicator Automatic Client Sign-In « Inside OCS

DNS Records and Office Communicator Automatic Client Sign-In « Inside OCS — Fri, 24 Jul 2009 21:33:33 +0000

[...] Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate… [...]

By: Automatic Office Communicator Sign-In (Part 2 – ensuring the correct Subject Name on the Certificate) « Inside OCS

Fri, 24 Jul 2009 21:16:58 +0000

[...] Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate… [...]

By: Curtis Johnstone

Curtis Johnstone — Tue, 30 Jun 2009 15:24:18 +0000

I don't know the details of the $30 certificate you mention, but $30 sounds too good to be true in my experience. I would be surprised if it met all the requirements of a UCC certificate. Generally speaking, to use a certificate on an OCS 2007 Front-End, the certificate should be a Web certificate with Enhanced Key Usage for server authentication. If you submit the certificate request to your CA (GoDaddy) by generating a Certificate Signing Request (CSR) using the OCS 2007 Certificate Wizard, the necessary requirements should be included in that request. I have first-hand experience, and have heard from others, that DigiCert offers a cost effective UCC certificate (that is not an endorsement plug for DigiCert; just relaying my experience). Also, Microsoft has a list of CA's that issue UCC certificates for Exchange and OCS in this Knowledge Base Article: Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007. Note: for the Web Components Server, you should use the IIS certificate wizard. See Section 3.7 (Configure the Web Components Server IIS Certificate) in the OCS 2007 Deployment Guide for more information.

By: Josh

Josh — Tue, 30 Jun 2009 13:19:49 +0000

Great article.
I went with a enterprise setup, and chose to purchase a normal SSL Cert with GoDaddy. I was able to install it successfully and now that I am ready to test Office communicator, when trying to sign in, I get

“There was a problem verifying the certificate from the server. Please contact your system administrator.”

The SRV record is set.
DNS is set.

The only thing I’m confused about is the Installation wizard, when runnning the certificate piece wanted to put a Subject Alternate Name for SIP, which I did: sip.domain.com, but of course it wasn’t a UCC Cert that I purchased. ANy issues there? Would a normal 30$ cert be able to append a SAN to it? SHould this work for the Front End server, and then I could purchase a UCC for any additional servers like Edge’s, etc?

Godaddy has been no help.