Thanks. Yes I have made sure they are all in there. The certificate in question reads out something like:
subject name: servername.subdomain.domain.com SAN#1: servername.subdomain.domain.com SAN#2: servername.domain.com SAN#3: servername SAN#4: sip.domain.com SAN#5: sip.subdomain.domain.com Do you need to do anything in particular since it needs to be a MTLS cert vs a SSL or TLS cert? Thanks (and sorry for the double post, not a good first impression huh?) Thanks all Mike ________________________________________ From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton [aerow...@gmail.com] Sent: Friday, January 15, 2010 5:09 PM To: openssl-users Subject: Re: Issues generating Certs for Office Communications Server 2007 The only thing special about OCS certificates is that they must contain all the names -- including all possible fully-qualified domain names -- that the server can be accessed by in the subjectAlternativeName extension. This is the most common reason for this error (and the 'help text' in the error description in the event log is *absolutely useless* here). >From http://technet.microsoft.com/en-us/library/cc676984.aspx : 0x80EE0065 - UCC_E_INVALID_CERTIFICATE Invalid certificate. When using Transport Layer Security (TLS) as the transport (as opposed to TCP), the OCS server is configured to authenticate TLS sessions by using a particular certificate that was issued to that particular server. Check the certificate configuration of the OCS server. Note the FQDN to which the certificate was issued (the FQDN of the server or the pool). The server name in the NotificationAgentSIPServer registry key should match that of the FQDN to which the certificate was issued. Resolving configuration issues with Microsoft software is a bit outside the scope of this mailing list; the only thing that we can do is point you to the extension that might be causing you trouble. (If you don't see the full list of names that your server is known by in subjectAlternativeName, then the configuration file that the other group uses for their openssl CA doesn't allow for 'copyextensions = copy' or 'copyextensions = all'.) -Kyle H On Fri, Jan 15, 2010 at 1:49 PM, Rausch, Michael <michael.rau...@us.lawson.com> wrote: > I have an Office Communications Server 2007 and an OpenSSL CA (which is > actually managed by a different group). > > > > Using the OCS Certificate Wizard I have been generating requests, but the > Certificates I get back, while importing into the server without issue, are > not trusted by the Communicator clients. I get the error “There was a > problem verifying the certificate from the server. Please contact your > System Administrator.” > > > > This error also appears in the Application Log: > > > > Event Type: Error > > Event Source: Communicator > > Event Category: None > > Event ID: 5 > > Date: 1/15/2010 > > Time: 3:45:30 PM > > User: N/A > > Computer: workstation > > Description: > > Communicator could not connect securely to server > servername.subdomain.domain.com because the certificate presented by the > server was not trusted due to validation error 0x80ee0065. The issuing > certificate authority (CA) for the server's certificate may not be locally > trusted by the client, the certificate may be revoked, or the certificate > may have expired. > > > > Resolution: > > A tool like winerror.exe from the Windows Resource Kit or lcserror.exe from > the Office Communications Server Resource Kit can be used in order to > interpret the error code listed above. If you trust the server certificate, > the issuing certificate authority (CA) certificate can be placed in the > local trusted root certificate authorities certificate store. If you have > logged into the server before without issues the network administrator > should carefully examine the certificate if no known configuration changes > have been made. > > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > > > > Now I have verified that this CA’s certificate appears in the Trust Root > Certification Authorities of the OCS server (and the workstation). > > > > So I guess my question would be, is anybody else out there using OpenSSL to > generate certificates for OCS 2007? Do I need to generate them in a > different way (other than the OCS Cert Wizard) or do they need to be > submitted to the OpenSSL CA in a special way? > > > > Just looking for some guidance as this has been a roadblock for a while now. > > > > Thank you very much for you time, > > > > Michael Rausch > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
