Creating Certificates for LCS

  • Article

The information below comes from one of our support staff, handling certificate service issues. 

Live Communication Server requires a certificate to enable TLS. To generate this certificate, find the scenario that best fits your situation.

Run the following commands to allow the Certificate Authority to issue Alternate Names.

1. certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

2. net stop certsvc

3. net start certsvc

1. Use the LCS Cert Utility:

Live Communications Server 2005 with Service Pack 1 Resource Kit <https://www.microsoft.com/downloads/details.aspx?familyid=D21C38E5-5D8F-44C7-BA17-2CC4F85D8B51&displaylang=en>

The LCS Cert Utility tool generates certificate online and offline certificate requests and import a certificate response issued by an offline CA (certification authority). It also allows users to delete certificates from the partner certificate store in Access Proxies.

2. If the customer has a 2003 Stand Alone CA:

a. Go to the Web Page of the CA: https://server/certsrv

b. Chose "Request certificate"

c. Choose "submit an advanced certificate request"

d. Choose "Create and submit a request to this CA"

e. Enter the Pool Name FQDN in the Name Field

f. Chose Other in the Certificate Request Type

g. Enter the OID 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

h. Chose Microsoft RSA Schannel CSP

i. Check "Mark keys as exportable"

j. Check "Store certificate in the local computer certificate store"

k. Enter the following in Attributes:

l. SAN:DNS=FQDN OF THE LCS POOL&DNS=FQDN OF THE LCS SERVER

m. Enter a Friendly Name of LCS

n. Click "Submit"

 

3. If the customer has a 2003 Standard Edition, Enterprise CA:

a. Create a request.inf file on the LCS server as follows:

====================Snip=================

[NewRequest]

Subject = "CN=server.microsoft.com" ; must be the FQDN of LCS server

EncipherOnly = FALSE

Exportable = TRUE

KeyLength = 1024

KeySpec = 1

KeyUsage = 0xA0

MachineKeySet = True

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = CMC

< Feb 13, 2008 update:

John at Modality Systems followed up with me to correct the request attributes syntax, to be fair I have copied his comment as submitted. Thanks John. >

Instead of:

[RequestAttributes]

CertificateTemplate = WebServer

SAN:DNS=FQDN OF THE LCS POOL&DNS=FQDN OF THE LCS SERVER

It should be:

[RequestAttributes]

CertificateTemplate = WebServer

SAN =” DNS=FQDN OF THE LCS POOL&DNS=FQDN OF THE LCS SERVER

The colon should be an = sign and you need a single set of double-quotes around the string containing the SAN’s

Your original syntax is correct if you are requesting the attributes from the command line “certreq.exe –attrib” command, but the policy file (.inf) syntax must be the way I’ve shown it.

====================Snip=================

 

b. Issue the following commands:

                                 i.  certreq -new request.inf certnew.req

                               ii. certreq -submit certnew.req certnew.cer

                              iii. certreq -retrieve <RequestID> certnew.cer

                             iv. certreq -accept certnew.cer

c. Right click the certnew.cer file and select "Install Certificate".

d. Click Next twice and then click Finish.

 

4. If the customer has a 2003 Enterprise Edition, Enterprise CA:

a. Create a Duplicate of the Computer template.

b. Select the "Supply in request" option under the Subject Name tab

c. Select the "Allow private key to be exported" option under the Request Handling tab.

d. Publish the new template.

e. Request the certificate on the LCS server by going to the Web Page of the CA: https://server/certsrv

f. Chose request certificate

g. Choose "submit an advanced certificate request"

h. Choose "Create and submit a request to this CA"

i. Select the template you just created and published.

j. Enter the Pool Name FQDN in the Name Field

k. Check "Mark keys as exportable"

l. Check "Store certificate in the local computer certificate store"

m. Enter the following in Attributes:

n. SAN:DNS=FQDN OF THE LCS POOL&DNS=FQDN OF THE LCS SERVER

o. Enter a Friendly Name of LCS

p. Click "Submit"

 

5. If the customer has a 2000 Stand Alone or Enterprise CA:

The Windows 2000 CA policy module does not support building the Subject Alternative Name (SUBJECTALTNAME2) extension from the SAN request attribute. Both Certreq.exe and the built-in https://<servername>/certsrv request website add the Subject Alternate Name data as a request extension when the request is built and neither will work against a Windows 2000 CA. Submit a request that contains the SAN as part of the actual request, not as a request attribute.

 The LCSCertUtil.exe tool from the LCS reskit (see step #1) will build the request in this way. If you generate the request file from LCSCertutil.exe, you can submit the request to a Windows 2000 CA using "certreq -submit" or the https://<servername>/certsrv request website.

To submit to the website:

a. Go to the Web Page of the CA: https://server/certsrv

b. Chose "Request a certificate"

c. Choose "Advanced request"

d. Choose ""Submit a certificate request using a base64 encoded PKCS#10 file or a renewal request using a base64 encoded PKCS#7 file."

e. Click on "Browse" and browse for the request file created by the LCSCertUtil.exe tool.

f. Click "Read!" to read the request file.

g. Click "Submit"

** If the customer is requesting the Certificate against a 3rd party CA, LCS requires that it MUST support the use Subject Alternative Names. Microsoft does not know if it does or does not support this functionality and the customer should contact the Certificate Vendor to verify this.

============================================================