Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2010-03-12 10:13:20.0

TN 8075 - PIC and Federated IM services are failing in Office Communications Server

Problem

PIC (specifically Yahoo) and Federated IM services are failing in Office Communications Server 2007.

Cause

Federated partners may not have updated their servers with the latest Entrust 2048 root certificate. This causes certification validation problems for OCS.

Solution

You can re-chain your certificate back to the Entrust.net Secure Server Certification Authority, which all of your Federated Partners should have on their servers.

This is often the easiest way to fix the problem as you will not have to get your partners to do any updates on their servers.

To install the 2048 chain certificate

1. Copy the Entrust SSL Certificate to your clipboard. You must include the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
2. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
3. Launch the Microsoft Internet Services Manager (select Start > Programs > Administrative Tools > Internet Services Manager).
4. Right-click your Web site from the left preview pane.
5. Select Properties.
6. Select Server Certificate from the Secure Communications menu. The Web Server Certificate Wizard appears.
7. Select Next.
8. Select Process the pending request and install the certificate.
9. Supply the path and file name of the file that contains your Entrust SSL Certificate.
10. Select Next.
11. Review the Certificate Summary.
12. Select Next.
13. Select Finish to complete the certificate installation.

You have just installed your server certificate.

To install the Entrust L1C Chain Certificate in your Web server

1. From your CMS account, click the link which brings you to the certificate pickup page. The server certificate is in the tab named Cross Certificate. Alternatively, you can download the Entrust L1C Chain Certificate from this link:

http://www.entrust.net/developer/index.cfm

2. Copy the L1C Chain Certificate to your clipboard. You must include the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
3. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
4. Save the file.
5. Rename the text file. Because you are installing the certificate in a Microsoft Windows-based Web server, the filename should have the extension .crt (for example, entrustL1Cchaincert.crt).
6. Open the file that contains the chain certificate in Windows Explorer. The Certificate dialog box appears.
7. In the General tab, click Install Certificate. The Certificate Manager Import Wizard appears.
8. Select Next.
9. Select Place all certificates into the following store.
10. Select Browse. The Select Certificate Store dialog box appears.
11. Select Show Physical Stores.
12. Expand Intermediate Certification Authority by clicking the "+" sign beside the item in the dialog box.
13. Select Local Computer and click OK.
14. Select Next.
15. Select Finish. A confirmation dialog appears.
16. Select OK.

To install the Entrust 2048 Chain Certificate in your Web server

1. Download the certificate named Entrust 2048 Chain from the Entrust web site at this link: https://www.entrust.net/downloads/binary/entrust_2048_ssl.cer
2. Copy the 2048 Chain Certificate to your clipboard. You must include the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
3. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
4. Save the file.
5. Rename the text file. Because you are installing the certificate in a Microsoft Windows-based Web server, the filename should have the extension .crt (for example, entrust2048chaincert.crt).

6. Open the file that contains the chain certificate in Windows Explorer. The Certificate dialog box appears.
7. In the General tab, click Install Certificate. The Certificate Manager Import Wizard appears.
8. Select Next.
9. Select Place all certificates into the following store.
10. Select Browse. The Select Certificate Store dialog box appears.
11. Select Show Physical Stores.
12. Expand Intermediate Certification Authority by clicking the "+" sign beside the item in the dialog box.
13. Select Local Computer and click OK.
14. Select Next.
15. Select Finish. A confirmation dialog appears.
16. Select OK.

To verify the Entrust root certificate on the server

The Entrust 2048 Chain certificate is used to ensure the certification path for the server certificate ends with the Entrust root CA named the Entrust.net Secure Server Certification Authority. If the alternate root CA, Entrust Certification Authority (2048), exists in the Trusted CA store on the server, the chain certificate will be ignored. Follow this procedure to remove the Entrust Certification Authority (2048) certificate if it exists.

1. Click Start > Run.
2. Type mmc and click OK.
3. Select File > Add/Remove Snap-in.
4. Click Certificates and select Add.
5. Select Computer Account and click Next.
6. Select Local Computer and click Finish.
7. Click OK to close the window.
8. Expand Certificates (Local Computer).
9. Expand the Trusted Root Certification Authorities folder and click Certificates.
10. If the certificate Entrust.net Certification Authority (2048) with expiration date 12/24/2019 exists, right-click it and select Delete.
11. Expand the Intermediate Certification Authorities folder and click Certificates.

Ensure the L1C and 2048 Chain certificates are in this folder as illustrated below: