There are several nice blogs out there on renewing certificates and even replacing certificates. In my most recent case, I had to replace certificates using another method because the issuing CA was being retired and a new issuing CA was being deployed. Renewal wasn’t an option.
In my case, the new CA is locked down pretty tight with ACLs on the templates, and I am not able to easily request a new certificate.
Use the CA Web Site
What I ended up doing to get the certificates was to use the IIS site, https://NewCaName.CompanyName.com/certsrv.
Click on the Request a certificatelink.
On the next screen, you have a couple of options.
Normally, I would then use the Submit a certificate by using a base-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. This method is used to submit the CSR that you previously generated. Well, I had issues making this work and the resulting certificate providing the private key when I would then import it back into OCS, so I went the other route. I still have no idea why it wouldn’t provide me the private key.
In this case, I used the Create and submit a request to this CA.
You may get a pop-up that is titled Web Access Confirmation and has the content This Web site is attempting to perform a digital certificate operation on your behalf: https://NewCaName.CompanyName.com/certsrv/certrqma.asp. Just click Yesif you get this message.
Select the Certificate Template. I used Web Server SSL 2 (Server and Client EKU) for my template. You don’t need this particular template, but I use it all the time because it works for pretty much any need. For the Name field, I use the actual SN for the certificate, and I also use the SN for the Friendly Name field. The key is the Attributes field which we use to add the SAN entries. The entry is all on one line and you just copy your information into the Attributes field.
Make sure the SAN line above is all on one line. I put in a line break for visibility. You should get something that looks like the image to the left, except with your information in it. You do not need the other fields.
This method is a little different than your typical method of generating a CSR and then submitting the CSR to get your certificate. Everything is done pretty much at once and you end up with a certificate that you can export and then import to your OCS servers.
When you install the certificate, it will install it on the computer where you ran the Web browser to connect to the CA. You will need to export the certificate. Make sure you select the Yes, export the private key radio button, and I recommend you also enable the Include all certificates in the certification path if possible option. to export the certificate to a pfx file. This pfx file can be imported on your OCS front end servers. You can use the same process for your other certificates for your Edge servers as well as other roles.
Applying the Cert
On the Front-End servers, open the Office Communications Server 2007 R2 console and expand the Forest, the Enterprise pools, the pool, and then select the Front-End server. Off to the far right, you should see a link for the Certificates wizard. You need to run the Office Communications Server 2007 R2 console on each server and select the server you are on at the time in order to access the Certificateswizard.
Of course, you can also use the Certificates MMC to import the certificate instead of using the wizard. Once you have imported the certificate and verified the chain, you are ready to assign the certificate.
Once the certificate is imported, you can then use the Certificates wizard and select the Assign an existing certificateoption.
I strongly suggest restarting the server, but the restart of the services is usually sufficient.
Don’t Forget the Web Services!
I forget the Web Services every now and then, and most of the Web sites that talk about renewing or replacing the certificates on an OCS server tend to forget this step, too. If you forget this step, you can expect to have issues with your Address Book service as well as some other odd issues.
Once you have updated the certificate, make sure you restart the Default Web Site in the IIS Manager.