Question : Certificate Configuration

We are in the begining stages of installing OCS 2007 and CWA.

Certificates seem to be making us go nuts for some reason.

Our setup is as follows:

- AD Name - Domain.local
- We have two internal DNS zones Domain.local (of course) and Domain.com
- We will eventually add CWA for external use and we have an external DNS Zone Domain.com (internal and external are not replicated as external resolves external IP's)
- All servers joined to Domain.local
- OCS url will be ocs.domain.com
- CWA url will be cwa.domain.com
- We do not have an interal CA and use Godaddy for our certs.

How do we create Certs for both OCS and CWA?
Can we temporarily create self signed certs for testing?  I have been trying but seem to get no where.
Where do the Certs need assigned.

I have read where you need to import the same cert from OCS to CWA.

MS documentation is fairly vague.

Thank you for your time and hope to get this explained in a non-microsoft doc manner.

Answer : Certificate Configuration

As you most likely will not be assigning SIP addresses with the domain.local namespace you'll only need to support the domain.com SIP namespace.  And since there is no mention of an Edge server I'll assume you are planning an internal-only deployment with CWA published to the Internet to allow for browser-based client access for external users.  Thus, here is a general overview of the minimum number of components you would require:

1. A single SSL SAN certificate for the Standard Edition server with the Common Name set to the server's FQDN (e.g. ocsserver1.domain.local) and a single SAN entry of 'sip.domain.com'.

2. A single SSL SAN certificate for the Communicator Web Access (CWA) server. See this thread for more details on using a single certificate for both MTLS and IIS usage on the CWA server:
http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=75

Self-signed certificates cannot be used for OCS and will not work.