CWA 2007 R2 Certificate Requirements

Just finished banging my head against the wall on this one. With the original release of OCS 2007 I would typically place a wildcard certificate on the internal Communicator Web Access virtual server. I’ve found that most of my clients don’t have their internal Root CA certificates installed on Linux or Mac machines so using the wildcard avoided any kind of certificate trust errors. No dice in R2. Using a wildcard seems to break pieces of CWA (at least for an implementation collocated on a Front-End server).

The R2 documentation (as if I would read that first…) lays out that you actually need the machine FQDN on the virtual server certificate.

Subject Name: Matches the URL of the Communicator Web Access site. For example, if the URL is https://im.contoso.com then the certificate should have im.contoso.com as subject name.

Subject Alternative Names: Includes the following: The URL of the Communicator Web Access site. The as URL. The download URL. The fully qualified domain name (FQDN) of the Communicator Web Access server.

This doesn’t really lay out what to do if you have a differing internal and SIP domains. So in my case, internal domain is ptown.local, SIP domain is confusedamused.com. CWA server FQDN is cwa.ptown.local and my published CWA url is im.confusedamused.com. My virtual server cert looks like this:

Subject Name: im.confusedamused.com

Subject Alternative Names: im.confusedamused.com,as.im.confusedamused.com,download.im.confusedamused.com,cwa.ptown.local

Without that last SAN entry you can sign in, but you’ll see the IE information bar indicate a certificate error when you try to initiate a chat with someone. It must be trying to reach the machine FQDN and when it doesn’t see the name on the cert it throws an error. This is probably the part that doesn’t work with the wildcard as well.

The error you’ll see in IE is this:

To help protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors.

So what’s this mean? Better start getting those Root CA certs out to your Linux and Mac clients.

Here

Recent content I've written for you—just for you!— to enjoy while you're here.

There

Quick commentary and links to other sources you'll find interesting. I promise.

Everywhere

Some personal background, links to related projects, and other ways to connect.

Hi there. My name is Tom Pacyk and this is my small home on the web. I love the intersection of design, technology, and communication, which is a combination that led me to a career in sales and marketing roles at places like Zoom and ServiceNow. They're a bit old now, but I also had the opportunity to publish a couple of books along the way.

Portland, Oregon is home for me, my wife Beth, and our three kids, but I'm actually a Midwestern transplant—I grew up in the Chicago suburbs and went to school at Purdue and Illinois. When I find some free time I'm probably going to concerts, rooting for the Portland Timbers, or working on my Sunshine Burn Photography project.