Since working with Office Communications Server 2007 and Exchange 2007, I’ve put in quite a bit of time with the PKI/Certificate infrastructure for active directory domains. Every service requires a certificate now, and you do NOT want to self-sign them.
Purchase public CA signed certificates for public facing services (OWA, OCS Edge, etc) or better yet, get one of the nifty new Communicator Certificates.
But for internal-only services, Windows Server provides Certificate Services.
Here are a list of tips:
- If you install Certificate Services WITHOUT IIS already being installed, your CA won’t be reachable via HTTP. You don’t want this. To fix this, install IIS and then type in "certutil -vroot" at the command prompt – this will quickly recreate the folders needed in IIS.
- PKIVIEW.MSC from the Windows Server Resource Kit is invaluable. Run it and look for errors. If there are any, fix them before moving on.
- If any service complains about your certificates or certificate infrastructure, you must resolve those issues. You can’t work around it! The error messages are cryptic and its sometimes difficult to Google what you need without some serious effort. Have patience and read everything you can.
- It can take between 10 minutes and 4 hrs for certificates to published throughout AD.
- The OCS Certificate Manager on our OCS Edge server appears to only rescan its certificate store once between 2am-3am each day. I have not figured out how to force the update. You might need to wait for this to happen before repairs to your PKI infrastructure are noticed.
