CWA 2007 R2 Certificate Requirements
Just finished banging my head against the wall on this one. With the original release of OCS 2007 I would typically place a wildcard certificate on the internal Communicator Web Access virtual server. I’ve found that most of my clients don’t have their internal Root CA certificates installed on Linux or Mac machines so using the wildcard avoided any kind of certificate trust errors. No dice in R2. Using a wildcard seems to break pieces of CWA (at least for an implementation collocated on a Front-End server).
The R2 documentation (as if I would read that first…) lays out that you actually need the machine FQDN on the virtual server certificate.
Subject Name: Matches the URL of the Communicator Web Access site. For example, if the URL is https://im.contoso.com then the certificate should have im.contoso.com as subject name.
Subject Alternative Names: Includes the following: The URL of the Communicator Web Access site. The as URL. The download URL. The fully qualified domain name (FQDN) of the Communicator Web Access server.
This doesn’t really lay out what to do if you have a differing internal and SIP domains. So in my case, internal domain is ptown.local, SIP domain is confusedamused.com. CWA server FQDN is cwa.ptown.local and my published CWA url is im.confusedamused.com. My virtual server cert looks like this:
Subject Name: im.confusedamused.com
Subject Alternative Names: im.confusedamused.com,as.im.confusedamused.com,download.im.confusedamused.com,cwa.ptown.local
Without that last SAN entry you can sign in, but you’ll see the IE information bar indicate a certificate error when you try to initiate a chat with someone. It must be trying to reach the machine FQDN and when it doesn’t see the name on the cert it throws an error. This is probably the part that doesn’t work with the wildcard as well.
The error you’ll see in IE is this:
To help protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors.
So what’s this mean? Better start getting those Root CA certs out to your Linux and Mac clients.
try a wildcard cert from Digicert, they support wildcard with SAN. I use this on my ISA edge and just and it works great.
I requested a cert from my internal CA per the deployment instructions, but when I select that cert in the Communicator Web Access Activation Wizard, I get an error box saying “The subject of the certificate you selected doesn’t match the current computer’s FQDN.” This seems to imply I need the subject name to be the FQDN, not just putting in the FQDN as one of the SAN’s. There doesn’t seem to be that many steps in the instructions… Am I missing some tiny detail?
Paul, that’s normal if you’re requesting a certificate for something other than the OCS Front-End. The wizard is geared towards making sure you get a correct cert for the Front-End, but you can certainly issue one for CWA and just skip past that warning.
I know I’m a bit late by about a year on this post but I to am getting the same problem as Paul in that I am prompted with the ““The subject of the certificate you selected doesn’t match the current computer’s FQDN.” Unfortunately the install does not allow me to skip this step. Below is an listing of my cert contents
Subject name cwa.aoglobal.dev
Subject Alternative Names: DNS Name=cwa.aoglobal.dev DNS Name=as.cwa.aoglobal.dev DNS Name=download.cwa.aoglobal.dev DNS Name=lnsimsg06d.aoglobal.dev
Does this appear correct? Note cwa is a CNAME which maps to the host record for the server name lnsimsg06d.aoglobal.dev
One interesting question. I’ve created a request as described in MS documentation for OCS 2007 R2, however when I connect to CWA with FQDN of the server inside the company network (in my case http://moscs03.domain.com) – all works fine, when I connect at SAN address (i.e. https://cwa.domain.com) I can not login. A windo pops up prompting for username and password and nothing is happening – access denied after three attempts. Any thoughts?