Set Up Certificates for the Internal Interface
Topic Last Modified: 2009-01-23
A certificate is required for mutual TLS (MTLS) communication between the Edge Servers and internal servers, including the A/V Conferencing Server and Mediation Server.
For details about the certificate requirements, see Certificate Requirements for External User Access.
Configuring the Certificates on Your Internal Interface
To set up a certificate on the internal interface of Edge Servers at one site, follow these steps:
- Step 1: Download the certification authority (CA) certification path for the internal interface to each Edge Server. For details, see Prepare for Edge Server Internal Certificates.
- Step 2: Import the CA certification path for the internal interface, on each Edge Server.
- Step 3: Verify that the CA is in the list of trusted root CAs, on each Edge Server.
- Step 4: Create the certificate request for the internal interface, on one Edge Server, called the first Edge Server.
- Step 5: Import the certificate for the internal interface on the first Edge Server.
- Step 6: Export the certificate, using the first Edge Server.
- Step 7: Import the certificate on the other Edge Servers at this site (or deployed behind this load balancer).
- Step 8: Assign the certificate for the internal interface of every Edge Server.
Instructions for steps 2 through 8 are later in this topic.
If you have more than one site with Edge Servers (that is, a multiple-site consolidated edge topology), or separate sets of Edge Servers deployed behind different load balancers, you need to follow steps 1 through 8 separately for each site that has Edge Servers, and for each set of Edge Servers deployed behind a different load balancer.
Note
The steps of the procedures in this section are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CA, consult the documentation for that CA. By default, all authenticated users have rights to request certificates.
To import the CA certification path for the internal interface
On each Edge Server in your deployment, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available Certificate Tasks page, select Import a certificate chain from a .p7b file, and then click Next.
On the Import Certificate Chain page, type the full path and name of the .p7b file, and then click Next.
Click Finish.
Repeat this procedure on each Edge Server.
To verify that your CA is in the list of trusted root CAs
On each Edge Server, open the Microsoft Management Console (MMC) by clicking Start, clicking Run, typing mmc in the Open box, and then clicking OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-ins box, click Certificates, and then click Add.
In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
In the details pane, verify that your CA is on the list of trusted CAs.
Repeat this procedure on each Edge Server.
To create the certificate request for the internal interface
On one Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Select the Component for Which the Certificate Is Requested page, select Edge Server Private Interface, and then click Next.
On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next.
Note
If the Enterprise CA is reachable from the Edge Server, you can use the Send the request immediately to an online certification authority option. Since this is typically not the case, this procedure and other certificate request procedures in this guide do not cover the use of that option.
Additionally, be aware that once you create a request, it is pending and the Certificate Wizard will not let you create another request until you have processed the pending one.On the Name and Security Settings page, type a friendly name for the certificate, and specify the bit length (typically, the default of 1024), verify that the Mark certificate as exportable check box is selected, and then click Next.
On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.
On the Your Server's Subject Name page, type or select the subject name and subject alternate name of the Edge Server.
The subject name should match the fully qualified domain name (FQDN) of the Edge Server published by the internal firewall for the internal interface on which you are configuring the certificate:
- For the internal interface of the Edge Server, this subject name should match the name that your internal servers use to connect to the Edge Server (typically, the FQDN of the internal interface for the Edge Server).
- If you are using a load balancer, the Edge Server traffic still uses the FQDN of the internal edge of the server (server name), but if you are using a virtual IP address for the Edge Server, the certificate should match the server FQDN of the virtual IP address used by this server role on the internal load balancer. For the internal interface, this is typically the published Domain Name System (DNS) name for the perimeter network that maps to the Edge Server.
Select Automatically add local machine name to subject alternate name if you would like to add the computer name of the Edge Server to the certificate’s list of alternate names.
Click Next.
On the Geographical Information page, type the location information, and then click Next.
On the Certificate Request File Name page, type the full path and file name to which the request is to be saved in the File name box (for example, C:\certrequest_AccessEdge.txt), and then click Next.
On the Request Summary page, click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it is available for import.
Repeat this procedure for each Edge Server.
To import the certificate for the internal interface
On the Edge Server on which you created the certificate request, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Pending Certificate Request page, click Process an offline certificate request and import the certificate, and then click Next.
On the Process a Pending Request page, in Path and file name, type the full path and file name of the certificate that you requested and received for the internal interface of this Edge Server, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
To export the certificate (for use by other Edge Servers)
On the Edge Server on which you requested and imported the certificate, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next.
On the Available Certificates page, in Select a certificate, click the certificate that you imported to this Edge Server, and then click Next.
On the Export Certificate page, in Path and file name, type the full path and file name to which you want to export the certificate, and then click Next.
Include all certificates in the certificate path, if possible.
In the Export Certificate Password page, in Password, type the password that will be used to import the certificate on the other Edge Servers, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Copy the exported file to a location or media to which the other Edge Servers have access.
To import the certificate for the internal interface on the other Edge Servers
On each of the other Edge Servers at this site, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next.
On the Import Certificate page, in Path and file name, type the full path and file name of the certificate that you exported from the first Edge Server, clear the Mark certificate as exportable check box, and then click Next.
In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Repeat this procedure for each Edge Server that you want to use the same certificate.
To assign the certificate to the internal interface of the Edge Servers
On each Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run.
On the Welcome page of the Communications Certificate Wizard, click Next.
On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate that you requested for the internal interface of this Edge Server, and then click Next.
On the Available Certificate Assignments page, select the Edge Server private interface check box (that is, the server interface on which you want to install the certificate), and then click Next.
On the Configure the Certificate Settings of Your Server page, review your settings, and then click Next to assign the certificates.
On the wizard completion page, click Finish.
Repeat this procedure for each Edge Server to which you assigned this certificate.