Why You Can’t Use a Wildcard Certificate for CWA 2007 R2

A few weeks ago I had posted an issue we were seeing internally after deploying Communicator Web Access R2 where we saw a certificate error only when IE was the user’s browser, even when going through a reverse proxy. After a lot of searching, debugging and help requests I finally got an answer back from someone at Microsoft as to why this was happening.

The problem occurs because Internet Explorer only recognizes 1 level of a wildcard certificate. So, my initial logon and connection were completely valid to im.confusedamused.com using a wildcard certificate of *.confusedamused.com. The problem manifested itself whenever I would try and initiate a chat session with someone and the information bar would drop in complaining of a certificate mismatch. Doing some logging shows that the as.im.confusedamused.com and download.im.confusedamused.com URLs are contacted when you open a chat. Since IE won’t consider  the *.confusedamused.com certificate valid for either of those URLs because they are technically 1 level deeper than my wildcard certificate is issued for, it generates a certificate warning.

I didn’t bother testing, but I imagine if you generated a SAN certificate with a subject name of *.confusedamused.com and a SAN of *.im.confusedamused.com IE would have allowed the connection with no warning. We ended up just going with a named SAN cert of the following:

Subject Name: im.confusedamused.com

Subject Alternative Names: im.confusedamused.com, as.im.confusedamused.com, download.im.confusedamused.com

For what it’s worth Firefox and Safari seem to accept multiple levels of a wildcard certificate just fine so the issue seems to be constrained to just IE. It would be great to say that CWA was just for other browsers anyway, but the desktop sharing features makes a strong case to include support for IE in your deployment.

For the next wave of OCS I’d hope the product team does away with the domain prefixes and just key off of suffixes instead using something like im.confusedamused.com/as or im.confusedamused.com/download so this is isn’t an issue. They did this for the /join and /dialin pieces, so I would think it’s possible. Oh well, maybe in 2010.

Here

Recent content I've written for you—just for you!— to enjoy while you're here.

There

Quick commentary and links to other sources you'll find interesting. I promise.

Everywhere

Some personal background, links to related projects, and other ways to connect.

Hi there. My name is Tom Pacyk and this is my small home on the web. I love the intersection of design, technology, and communication, which is a combination that led me to a career in sales and marketing roles at places like Zoom and ServiceNow. They're a bit old now, but I also had the opportunity to publish a couple of books along the way.

Portland, Oregon is home for me, my wife Beth, and our three kids, but I'm actually a Midwestern transplant—I grew up in the Chicago suburbs and went to school at Purdue and Illinois. When I find some free time I'm probably going to concerts, rooting for the Portland Timbers, or working on my Sunshine Burn Photography project.