How to request a TLS certificate for use with the BlackBerry Collaboration Service and Microsoft Office Communications Server 2007 R2 or Microsoft Lync 2010 and 2013

Article ID: KB24960

Type: Support Content

Last Modified: 08-14-2014

 

Product(s) Affected:

  • Enterprise Instant Messaging for BlackBerry 10
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Lotus Domino
CollapseEnvironment
  • BlackBerry Enterprise Server 5.0 SP3 to SP4
  • BlackBerry Enterprise Service 10 version 10.1 to 10.2.1
  • BlackBerry Collaboration Service
  • Microsoft Office Communications Server 2007 R2
  • Microsoft Lync Server 2010 and 2013
  • DT 980113
  • DT 2969542
  • DT 5136516
CollapseOverview

As of BlackBerry Enterprise Server 5.0 SP3, the BlackBerry Collaboration Service uses Microsoft Unified Communications Managed API 2.0 to communicate with a Microsoft Office Communications Server. The default communication method on a Microsoft Office Communications Server pool server is Mutual Transport Layer Security (MTLS). The only communication method on a Microsoft Lync 2010 and 2013 pool server is MTLS. The server hosting the BlackBerry Collaboration Service must have a valid certificate signed by a mutually-trusted certification authority trusted by both the local server and the remote front end pool servers.

The instructions in this article outline requesting and installing a certificate from an organization's internal certification authority, using a Microsoft Certificate Authority as a model, that will allow the BlackBerry Collaboration Service to communicate with the Microsoft Office Communications Server using MTLS. It is recognized that there are a multitude of certificate authorities available, both internal and external, but these steps can still be used as a general guide to allow a certificate to be generated.


To request and install a certificate, perform the following steps on the server hosting the BlackBerry Collaboration Service:

  1. Log in to the BlackBerry Collaboration Server as an administrator with permission to Enroll for a Web Server Certificate.
  2. Click Start > Run, and type mmc.exe.
  3. Open the File menu and select Add/Remove snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates, and click Add.
  5. Choose Computer Account, and click Next.
  6. Choose Local Computer, and then Finish.
  7. Click OK on the Add or Remove Snap-ins window.
  8. Expand Certificates.
  9. Expand Trusted Root Certification Authorities and click Certificates. Make sure the root certificate is present for the Enterprise Certificate Authority in the domain.
  10. Right-click Personal and select All Tasks > Request New Certificate.
  11. Click Next.
  12. If prompted to select a Certificate Enrollment Policy, select one under the category of Configured by your administrator. Click Next.
  13. Select Web Server (If Web server is unavailable see the Additional Information section), and click the link for More information is required to enroll for this certificate. Click here to configure settings.
  14. Click the Subject tab.
  15. Ensure there are no spaces in any of the name fields for the local server or pool server names.
  16. Complete the following steps for the applicable environment:

    For Microsoft Office Communications Server 2007 R2:

    1. Under the Subject Name section, change the Type to Common Name.
    2. Change the Value of the Fully Qualified Domain Name of the server hosting the BlackBerry Collaboration Service.
    3. Click Add.

    For Microsoft Lync Server 2010 and 2013:

    1. Under the Subject Name section, change the Type to Common Name, and change the Value of the Fully Qualified Domain Name of the Microsoft Lync Front End Pool, and then click Add.
    2. Under the Alternative Name Section:
      1. Change the Type to DNS, and change the Value to the Fully Qualified Domain Name of the Microsoft Lync Front End Pool, and then click Add.
      2. Leave the Type specified as DNS, and change the Value to the Fully Qualified Domain Name of the server hosting the BlackBerry Collaboration Service, and then click Add.
      3. If this certificate will be used to represent multiple BlackBerry Collaboration Service servers, repeat the above step to add additional server Fully Qualified Domain Names to the list.
  17. Click the General tab.
  18. Type OCSConnector for the Friendly Name. (Note : this field is optional as of the release of BlackBerry Enterprise Server 5.0 SP3 MR5)
  19. If multiple BlackBerry Collaboration Servers were listed in the Subject Alternative Names field (applicable to Lync 2010 or 2013 only), then click on the Private Key tab, expand Key options, and ensure that the Make private key exportable box is checked. If this cannot be checked, then this is restricted by the security of the Web Server template. A new certificate would need to be created for each BlackBerry Collaboration Service instance.
  20. Click Apply, then OK.
  21. On the Certificate Enrollment window, click Enroll.
  22. Verify that the STATUS is Succeeded, and click Finish.

If the certificate is expected to be used on multiple BlackBerry Collaboration Service servers (applicable only to Microsoft Lync 2010 and 2013 environments only):

  1. Ensure that the proper steps were followed above to add the additional server Fully Qualified Domain Names to the Subject Alternative Names field in the certificate enrollment request as laid out above.
  2. In the Certificates MMC window, right-click on the newly issued certificate in the Personal -> Certificates store and select All Tasks -> Export
  3. Click Next
  4. Click on Yes, export the private key option and click Next
  5. The only option should be Personal Information Exchange - PKCS #12 (.PFX). Add a check to Include all certificates in the certification path if possible and Export all extended properties. Ensure Delete the private key if the export is successful is not checked
  6. Click Next
  7. Enter a password to secure the .pfx file. Confirm the password. Click Next.
  8. Use the Browse button to select an export location to save the certificate file to and enter a filename.
  9. Click Finish.
  10. Click OK on the Export Wizard successful notification.
  11. Copy the .pfx file to the other BlackBerry Collaboration Servers and import the certificate into the same Local Computer -> Personal -> Certificates folder in the Certificates MMC window.

For an environment where a Microsoft Standalone Certificate Authority is used, use the following steps.

In order for the Certificate Authority to accept the Subject Alternative Name attribute via web enrollment, run the following on the Certificate Authority Server:

  1. To launch Command Prompt, click Start > Run, type cmd and press Enter.
  2. Type certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 and press Enter.
  3. Type net stop certsvc and press Enter.
  4. Type net start certsvc and press Enter.

Information required when requesting a certificate for Collaboration Service to work with Microsoft Office Communications Server 2007 R2 :

  • Name: FQDN of BES hosting the Collaboration Service
  • Type: Server Authentication Certificate
  • CSP (Provider): Microsoft RSA SChannel Cryptographic Provider
  • ProviderType: c
  • Flags: 0
  • Key Usage: Exchange (this refers to KeySpec, set to 1)
  • Key Size: 1024 (Note : this value is dependent on the Certificate Authority, and is not a set requirement for the BlackBerry Collaboration Service)
  • Automatic key container name
  • Friendly Name: OCSConnector
  • Store Certificate in local certificate store

Information required when requesting a certificate for Collaboration Service to work with Microsoft Lync Server 2010/2013 :

  • Name: FQDN of the Lync Front End Pool
  • Type: Server Authentication Certificate
  • CSP (Provider): Microsoft RSA SChannel Cryptographic Provider
  • ProviderType: c
  • Flags: 0
  • Key Usage: Exchange (this refers to KeySpec, set to 1)
  • Key Size: 1024 (Note : this value is dependent on the Certificate Authority, and is not a set requirement for the BlackBerry Collaboration Service)
  • Automatic key container name
  • Attrtibutes: san:dns=FQDN_OF_LYNC_SERVER&dns=FQDN_OF_BES_HOSTING_BCS
  • Friendly Name: OCSConnector
  • Store Certificate in local certificate store

For more information, refer to Microsoft Support article 931351.

Please note the following:

  • The Key Size values above are not a requirement, but a suggestion. The Certificate Authority may reject the certificate request if the Key Size does not meet the minimum values set by the CA policies.
  • If the request is from a Windows 2008 Server, the Store certificate in the local computer certificate option will not be available.
  • Once the certificate has been installed on the server, manually move the certificate from the User Certificate Store to the Computer Certificate Store
  • If the request is from a Windows 2008 Server to a Standalone CA installed on a Windows 2003 Server, the hotfix from Microsoft Support article 922706 must first be installed on the Standalone CA Server.

For additional assistance, engage the local Certificate Authority teams for assistance in ensuring a valid certificate request and certificate will be made available to the local server.

CollapseAdditional Information

In Step 13 above, in some cases the Web Server certificate will not be an option. This is due to the Active Directory Computer Object hosting the BlackBerry Collaboration Service not having enroll permissions for the Web Server certificate template. For more information about default permissions on certificate templates, refer to http://technet.microsoft.com/en-us/library/cc962096.aspx For 2003 GCs and http://technet.microsoft.com/en-us/library/ee649249%28v=ws.10%29.aspx for 2008 GC environments.

As of BlackBerry Enterprise Server 5.0 SP3 MR5, there is a change in how the BlackBerry Collaboration Service retrieves the local certificate. It is no longer required to set the Friendly Name field to OCSConnector.

If the BlackBerry Collaboration Service has been installed for use with Microsoft Office Communications Server 2007 R2, the certificate check looks like this:

Retrieve all local certificates that have the:

  • Enhanced Key Usage attribute set to Server Authentication
  • Subject Name matches the Fully Qualified Domain Name of the local server

If the BlackBerry Collaboration Service has been installed for use with Microsoft Lync 2010 or 2013, the certificate check looks like this:

Retrieve all local certificates that have the:

  • Enhanced Key Usage attribute set to Server Authentication
  • Subject Name matches the Fully Qualified Domain Name of the Lync Front End Pool (as configured in the BlackBerry Administration Service)
  • Subject Alternative Names include:
    • Fully Qualified Domain Name of the Lync Front End Pool
    • Fully Qualified Domain Name of the local server

If the BlackBerry Collaboration Service fails to locate a valid certificate that meets the above criteria, the following log lines will be displayed:

<ERROR>:<LAYER = BBIM, [OCSC] No certificates were found matching the required criteria>
<INFO >:<LAYER = BBIM, [BBCS] BlackBerry OCSConnector configuration complete with error=4, Error: No certificates were found matching the required criteria>


Note that the certificate verification in the Subject Alternative Names field cannot confirm if white spaces have been accidentally added to the front or back of each entry. Ensure there are no extra spaces.


Information regarding certificate requirements for Microsoft Lync 2010 and 2013 support:

Documentation for the certificate requirements for Microsoft Lync 2010 is available on Microsoft's MSDN site here: http://msdn.microsoft.com/en-us/library/office/hh347354(v=office.14).aspx in the section labeled Create a Certificate for the Computers in a Trusted Application Pool.

In a Microsoft Lync 2010 or 2013 environment, a Trusted Application Pool is configured via Powershell or the Topology Builder (see KB28474 for more details on this). However, Automatic Provisioning of the BlackBerry Collaboration Service as a Trusted Application Server does not create a new Trusted Application Pool, which is the expectation for a Microsoft Lync 2010 or 2013 environment. So, Automatic Provisioning or Manual Provisioning via the Application Provisioner or BCSProvisioner tools has the OCSConnector joining the existing application pool, which consists of the Microsoft Lync 2010 or 2013 servers. Since the BlackBerry Collaboration Service server is now a member of the existing application pool, the Subject of the certificate must be the existing application pool name, which is the Front End Pool. Because the Subject Alternative Names attribute includes the local BlackBerry Collaboration Server FQDN, the certificate is able to represent the server without issue.  

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.