Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Requesting certificates for LCS via a Stand Alone CA

1 view
Skip to first unread message

Ken

unread,
Oct 29, 2004, 6:04:02 AM10/29/04
to
We are setting up a Live Communication server environment. In order to allow
communication between LCS server TLS is required. This requires certificates
to be installed on each server which has both an EKU of client authentication
and server authenticion. I can request a certifiicate from the standalone CA
which has an EKU of Server authentication only. Is it possible to create a
certificate from a standalone CA which has both server and client
authentication.

Thanks in advance


Ken

S. Pidgorny <MVP>

unread,
Oct 29, 2004, 9:22:16 AM10/29/04
to
Sure it is possible - the diference b/ween enterprise CA and a stand-alone
is the way of mamaging certificates, but you can issue all different kinds
of certificates using each, or a 3rd-party CA (OpenSSL is very popular for
that purpose)

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Ken" <K...@discussions.microsoft.com> wrote in message
news:EB243F44-D1BE-40F5...@microsoft.com...

Ken

unread,
Oct 30, 2004, 4:19:01 AM10/30/04
to
Thanks for the reply. If you could give me some guidelines how to request the
certificate so that it contains both EKUs for server and client
authentication I would be grateful. I create the certificate request via IIS
on the LCS certificate. Then request the certificate via \\Server\certSRV and
cut and paste in the contents of the file. Then issue the certificate via the
stand-alone CA. Doing this process the certificate only ever has an EKU of
server authentication.

Thanks in advance

Ken

S. Pidgorny <MVP>

unread,
Oct 30, 2004, 9:54:43 PM10/30/04
to
What you need is a standard server certificate, one used for SSL Web sites
etc. In most cases it includes both Client Auth and Server Auth EKU
attributes. Key usage is defined at the key generation stage on the client.
I think you'll get it right if you'll use Internet Services Manager (IIS
management MMC) to request the certificate - not sure what to do to get
desired set of EKUs using Web form - please post back, I'll be able to give
additional info tomorrow.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Ken" <K...@discussions.microsoft.com> wrote in message

news:C2A6889B-26F2-40CB...@microsoft.com...

David Cross [MS]

unread,
Oct 31, 2004, 10:34:06 AM10/31/04
to
this whitepaper might help:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"S. Pidgorny <MVP>" <slav...@yahoo.com> wrote in message
news:%23%23nLZyuv...@TK2MSFTNGP15.phx.gbl...

S. Pidgorny <MVP>

unread,
Nov 1, 2004, 3:19:03 AM11/1/04
to
Excellent whitepaper!

I have found how to request a certificate with both Client and Server
authentication using a certSrv Web form:

On the request form, under Intended purposes, select Other... and put

1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2

in the OID field.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-


"David Cross [MS]" <dcr...@online.microsoft.com> wrote in message
news:eVefD81v...@TK2MSFTNGP09.phx.gbl...

0 new messages