Federation and/or PIC may fail against partners using 2048-bit signed Root CAs


Summary:

 

You may find that OCS 2007 / OCS 2007 R2's Federation and/or PIC fails against partners who do not support Entrust root certificates signed using a 2048-bit public key.

 

For example, the "broken" certificate chain may resemble the following:

 

Edge server's certificate -> Entrust L1B chain -> Entrust 2048 Root

 

Workaround:

For Federated partners who do not support the 2048-bit Root, you can introduce an additional chain certificate which points back to the Entrust 1024-bit root. The chain of authority would then be as follows:

 

Edge server's certificate -> Entrust L1B chain -> Entrust 2048 chain -> Entrust 1024 Root

 

 

To accomplish this, you will be replacing the Entrust 2048 Root certificate with the attached Entrust 2048 chain certificate.

 

 

Here are the steps to follow:

 

1. Start up your MMC console and add the Certificates snap-in for your server's Computer Account.

 

2. Under "Trusted Root Certification Authorities/Certificates," remove the Entrust.net Certification Authorities (2048) certificate.

 

3. Ensure you have the Entrust.net Secure Server Certification Authority certificate under the same Trusted Roots folder.

 

4. Under "Intermediate Certification Authorities/Certificates," import the attached Entrust.net Certification Authorities (2048) chain certificate as follows:

 

i. Save the attached "2048-to-1024-Cross-Cert.txt" 2048 chain certificate as a *.crt file.

 

ii. In MMC, expand the Intermediate Certification Authorities folder.

 

iii. Right-click on Certificates and select All Tasks -> Import

 

iv. Follow the resulting Certificate Import Wizard to import the 2048 chain certificate into the Intermediate Certification Authorities store.

 

5. Check to make sure you have two Entrust Certificates under Intermediate Certification Authorities/Certificates: The Entrust Certification Authority - L1B and the Entrust.net Certificate Authority (2048).

 

 

Credits:

 

Many thanks to Jimmy Levesque and Mark Giannotti in ECS Technical Support at Entrust Certificate Services for this information!

 

 

Update (December 10, 2009):

We have successfully tested & validated that communicating with AOL via PIC (using a certificate rooted against a CA that is signed with 2048 bits) works properly.

 

 

2048-to-1024-Cross-Cert.txt