Why You Can’t Use a Wildcard Certificate for CWA 2007 R2

A few weeks ago I had posted an issue we were seeing internally after deploying Communicator Web Access R2 where we saw a certificate error only when IE was the user’s browser, even when going through a reverse proxy. After a lot of searching, debugging and help requests I finally got an answer back from someone at Microsoft as to why this was happening.

The problem occurs because Internet Explorer only recognizes 1 level of a wildcard certificate. So, my initial logon and connection were completely valid to im.confusedamused.com using a wildcard certificate of *.confusedamused.com. The problem manifested itself whenever I would try and initiate a chat session with someone and the information bar would drop in complaining of a certificate mismatch. Doing some logging shows that the as.im.confusedamused.com and download.im.confusedamused.com URLs are contacted when you open a chat. Since IE won’t consider  the *.confusedamused.com certificate valid for either of those URLs because they are technically 1 level deeper than my wildcard certificate is issued for, it generates a certificate warning.

I didn’t bother testing, but I imagine if you generated a SAN certificate with a subject name of *.confusedamused.com and a SAN of *.im.confusedamused.com IE would have allowed the connection with no warning. We ended up just going with a named SAN cert of the following:

Subject Name: im.confusedamused.com

Subject Alternative Names: im.confusedamused.com, as.im.confusedamused.com, download.im.confusedamused.com

For what it’s worth Firefox and Safari seem to accept multiple levels of a wildcard certificate just fine so the issue seems to be constrained to just IE. It would be great to say that CWA was just for other browsers anyway, but the desktop sharing features makes a strong case to include support for IE in your deployment.

For the next wave of OCS I’d hope the product team does away with the domain prefixes and just key off of suffixes instead using something like im.confusedamused.com/as or im.confusedamused.com/download so this is isn’t an issue. They did this for the /join and /dialin pieces, so I would think it’s possible. Oh well, maybe in 2010.