Federation and/or PIC may fail against partners using 2048-bit signed Root CAs




You may find that OCS 2007 / OCS 2007 R2's Federation and/or PIC fails against partners who do not support Entrust root certificates signed using a 2048-bit public key.


For example, the "broken" certificate chain may resemble the following:


Edge server's certificate -> Entrust L1B chain -> Entrust 2048 Root





For Federated partners who do not support the 2048-bit Root, you can introduce an additional chain certificate which points back to the Entrust 1024-bit root. The chain of authority would then be as follows:



Edge server's certificate -> Entrust L1B chain -> Entrust 2048 chain -> Entrust 1024 Root



To accomplish this, you will be replacing the Entrust 2048 Root certificate with the attached Entrust 2048 chain certificate.



Here are the steps to follow:


1. Start up your MMC console and add the Certificates snap-in for your server's Computer Account.


2. Under "Trusted Root Certification Authorities/Certificates," remove the Entrust.net Certification Authorities (2048) certificate.


3. Ensure you have the Entrust.net Secure Server Certification Authority certificate under the same Trusted Roots folder.


4. Under "Intermediate Certification Authorities/Certificates," import the attached Entrust.net Certification Authorities (2048) chain certificate as follows:


i. Save the attached "2048-to-1024-Cross-Cert.txt" 2048 chain certificate as a *.crt file.


ii. In MMC, expand the Intermediate Certification Authorities folder.


iii. Right-click on Certificates and select All Tasks -> Import


iv. Follow the resulting Certificate Import Wizard to import the 2048 chain certificate into the Intermediate Certification Authorities store.


5. Check to make sure you have two Entrust Certificates under Intermediate Certification Authorities/Certificates: The Entrust Certification Authority - L1B and the Entrust.net Certificate Authority (2048).





Many thanks to Jimmy Levesque and Mark Giannotti in ECS Technical Support at Entrust Certificate Services for this information!



Update (December 10, 2009):


We have successfully tested & validated that communicating with AOL via PIC (using a certificate rooted against a CA that is signed with 2048 bits) works properly.




Comments (6)

  1. Alexander Donin says:

    "For Federated partners who do not support the 2048-bit Root"

    Could you write requirements to support  2048-bit Root for certificates.

    As I understand, it could be only if OS does not have latest updates or certificates update isdisabled.


    In this case, another solution is import right root cert to trusted root certs or update certificetes.

  2. @Alexander: You’re exactly right; the server simply needs the 2048-bit Root installed.  However, you may find that certain PIC providers (and/or Federated partners) do not have this installed.


    Scott Oseychik

  3. Donovan Charlton says:

    You mentioned PIC providers may not have this installed. Do you know of any examples of this? We are having some issues with AOL connectivity on R2. We have ensured that AOL root certs are up to date and have implemented your suggested change to SSL configuration with no luck.

  4. Curtis says:

    We are having a problem with AOL as well.  Do we need to have the certs installed on the edge?  Do we just use 1 or both of them?  We are  using R2 as well.  MSN and Yahoo are working fine.

  5. Scott Oseychik says:

    It seems a few of our customers are running into issues w/PIC against AOL … while I encourage you all to engage the Unified Communications Support Team via Microsoft Customer Support Services (http://support.microsoft.com), in the meantime, let’s try & identify some common denominators:

    1. Has it ever worked?  If so, when did it stop working?

    2. What version of OCS?

    3. What version of Windows?

    4. Have you installed the AOL Root CAs & modified the cipher suites (if on SRV08) … see my previous blog entries.


    Scott Oseychik

    p.s. Responses will be delayed; at the MGX conference in Atlanta

  6. Robert Sinclair says:

    Would this work for godaddy certs as well?  If so, which certs would I need to download/remove/import?  

Skip to main content