As certificates have become common in deploying of Live Communication Server 2005 I put together a list of common issues one can experience with certificates and LCS 2005.

My certificate has expired. How should I replace it?

When a certificate expires on the LCS 2005 frontend system(s) you will notice that users are not able to login anymore with TLS. If LCS 2005 Enterprise Edition is deployed the nodes will be unable to communicate with each other using MTLS. This will cause messages to be undelivered between servers. Usually the certificate is replaced before this causes a bad day for administrators however I have noticed that many times the certificate is not being replaced successfully.

In order to replace the certificate successfully a new one should be issued to the same FQDN (fully qualified name) as the server or the pool name (in the case of Enterprise Edition). If using Enterprise Edition it should also have a subject alternative name listing both the pool and the FQDN of the server. The intended purpose (Enhanced Key Usage) of the certificate should have “Server Authentication (1.3.6.1.5.5.7.3.1)”. In addition to “Server Authentication” I would recommend also requesting a certificate with the intended purpose of “Client Authentication (1.3.6.1.5.5.7.3.2)” as this is required by some public IM servers. The “Client Authentication, Server Authentication” certificate needs to be installed on the Access Proxy external interface.

To install the certificate, you need to determine if the certificate has a 2-tier certificate chain. Most issued certificates use 2-tier chains for security purposes today. When viewing the certificate the “Certificate Path” tab will determine whether any issues exist by displaying a red X. This is a simple check that will use any method to validate whether the complete chain exists. It is best to ensure that all tiers of the chain are installed in the appropriate stores. For example the Intermediate tier should be installed into the “Intermediate Certification Authority”, and the root tier should be installed into the “Trusted Root Certification Authority”. If they already exist the expiry date should be validated along with the serial number to ensure they are matching.

Full Article

LCS, Live, Communication, Server, Office, OCS, Live Communication Server, Certificate, Issue, Microsoft