CWA 2007 R2 Certificate Requirements

Just finished banging my head against the wall on this one. With the original release of OCS 2007 I would typically place a wildcard certificate on the internal Communicator Web Access virtual server. I’ve found that most of my clients don’t have their internal Root CA certificates installed on Linux or Mac machines so using the wildcard avoided any kind of certificate trust errors. No dice in R2. Using a wildcard seems to break pieces of CWA (at least for an implementation collocated on a Front-End server).

The R2 documentation (as if I would read that first…) lays out that you actually need the machine FQDN on the virtual server certificate.

Subject Name: Matches the URL of the Communicator Web Access site. For example, if the URL is https://im.contoso.com then the certificate should have im.contoso.com as subject name.

Subject Alternative Names: Includes the following: The URL of the Communicator Web Access site. The as URL. The download URL. The fully qualified domain name (FQDN) of the Communicator Web Access server.

This doesn’t really lay out what to do if you have a differing internal and SIP domains. So in my case, internal domain is ptown.local, SIP domain is confusedamused.com. CWA server FQDN is cwa.ptown.local and my published CWA url is im.confusedamused.com. My virtual server cert looks like this:

Subject Name: im.confusedamused.com

Subject Alternative Names: im.confusedamused.com,as.im.confusedamused.com,download.im.confusedamused.com,cwa.ptown.local

Without that last SAN entry you can sign in, but you’ll see the IE information bar indicate a certificate error when you try to initiate a chat with someone. It must be trying to reach the machine FQDN and when it doesn’t see the name on the cert it throws an error. This is probably the part that doesn’t work with the wildcard as well.

The error you’ll see in IE is this:

To help protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors.

So what’s this mean? Better start getting those Root CA certs out to your Linux and Mac clients.