LCS 2003 Certificates

 
* For those looking for LCS 2005 data, information will be documented and does vary slightly due to the use of a pools (collection of Home Servers), which will require the use of SUBJECT_ALT_NAME

One of the main calls received for Live Communications Server is around the topic of Certificates. It is recommended for customers to deploy LCS and Windows Messenger 5 (WM5) using TLS which is certificate based.
What we will discuss here is the part that if you get right, the client connections fall into place: Server to Server communications using (required) a Mutual TLS (MTLS) connection. Mutual TLS is used as the servers can be the "client" or "server" depending on which establishes/calls/initiates the connection to the other. This requires a certificate with Client Authentication and Server Authentication.

The challenge for customers is how to get the actual certificate they need. You can use a 3rd party like Verisign or you can use the Windows Certificate Authority. If you have to ask for the certificate you need:
1) X.509c3 version certificate
2) Enhanced Key Usage field for client and server authentication
3) The FQDN for which this server will respond (this may not always be the actual FQDN so read further)

We will be focusing on the Windows Certificate Authority configuration and I want to point out those things that can surprise you if don't read up on it first, like myself :)

I am NOT endorsing one CA type over another. Two references you can consider: The MSPRESS book for Windows 2003 PKI and Certificate Security http://www.microsoft.com/MSPress/books/6745.asp and from MSDN - http://www.microsoft.com/technet/security/guidance/build_ent_root_ca.mspx

There are two main types of Certificate Authorities - Standalone and Enterprise Root CA (not going to talk about subordinate CA's). Let me suggest running adminpak.msi to install the admin tools and then run pkmgmt.msc for the Public Key Management MMC.

The Standalone CA does not use templates the way the Enterprise Root CA does. There is a flexibility in the Standalone as I can request a type of Other: allowing me to type the OID values for what authentications I need -
- using the web enrollment page (http:///certsrv/)
- Request a certificate -> advanced certificate request -> Create and submit a request to this CA
- Fill out the certificate name (should be fqdn of the lcs server). For certificate type, select “Other …” from the dropdown menu, and input “1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2” in the “OID” textbox (note that there’s a comma between the two oids and NO space(s)). Check “Store certificate in the local computer certificate store” checkbox. Leave everything else as is. Click “Submit”.
- You’ll see a page telling you the certificate request ID number and that it’s now pending admin’s approval.
- Go back to the certificate server, open CertificateAuthority’s mmc, right-click “Pending Requests”, you’ll see the certificate request from the client. Right-click it (based on request ID) and choose “All Tasks -> Issue”.
- Go back to the client machine, open the web enrollment page as in step 2) above, click “View the status of a pending certificate request”, click the certificate and install it.
- On the web enrollment page on the client machine, download the RootCA and install it on the client machine. Note that by default it’ll be installed in the current user store. So to get it installed on the Local Machine store, in downloading CA you need to choose “Save” instead of “Open”, and specify a file name for it. Then open the certificate mmc, Local Computer/RootCA store, import the root CA from the file.

For the Enterprise Root CA, open PKMGMT.MSC and in the Template location highlight the Computer certificate, right click and choose duplicate.
HUGE NOTE: This will not work on Windows 2000 Advance Server or Windows 2003 Standard Edition. You will need Windows 2003 Enterprise or Datacenter as they support V2 templates. For the Windows 2000 AS and 2003 Standard customer your choices include using the Domain Controller cert as it has both Client and Server authentication, an upgrade to 2003 Enterprise, or 3rd party cert (Verisign, Thawte, other).
Any name will work, some suggestions would be MTLS or LCS or Client Server Auth.
Additional items to select -
Request handling Tab click on Allow private key to be exported
Subject Name Tab click on Supply in the request.
When selecting a certificate in this manner you should be prompted to download it after completing the request. If not you will need to look into the enrollment privileges.

The last piece of help I would offer is that customers occassionaly report that when selecting the certificate in the LCS UI for the MTLS definition they receive an error - implying the wrong certificate selected or a certificate missing key details or the certificate isn't showing. When receiving an error thus far it details the exact problem which can be resolved by going through the process of requesting a new certificate with the missing detail. For a certificate that does not show, it likely was not imported into the correct location. Above it is stated to select the ooption for Store certificate in local computer certificate store. Also if it failed the first time go ahead and save it the second time so you can open the Certicate MMC for local computer and by selecting Personal and Certificates you can import and browse to the certificate location.

I hope that this has been helpful. Incorrect, misleading, or incomplete information? please comment the post.

Toml LCS Kid