Recently , I was working on OCS certificate issue. The issue in summary, is that I have requested a certificate for the OCS edge server as well as the Reverse proxy server (ISA 2006), the certificate holds multiple SANs in order to utilize it in both the OCS edge server for the Edge and the web conference roles, and also the Reverse proxy to allow downloading meeting contends and the address list.
There is a very similar scenario in the exchange team blog ,the missing thing is that I should import the received certificate first on the machine that generate the request to get the private key pairs.
In my case I was requesting the certificate on the Edge server. So, we need to first import the certificate on the edge server to get the certificate working properly with its private key, and then export it to be installed on the ISA server.
Click the certificate link on the right pane to launch the certificate wizard, click next
Assigning the certificate
Let's access the certificate wizard, but this time we shall choose Assign an existing certificate
On the Available Certificate screen choose the imported certificate and click Next
On the next screen, I shall choose two options
I choose to assign the certificate for both the access edge and web conference, because I had already requested a certificate with multiple SANs that include them.
And Next then Finish.
Now to export the certificate we should run new MMC, from the file menu choose Add/remove snap-ins
From the certificate console, go to the certificate folder under personal, you should find the imported certificate there, right click it and choose export from all tasks.
Click Next on the Welcome to the certificate export wizard
Make sure to choose the first option on the next dialog and click Next
And ensure to choose enable strong protection and click Next
On the next window, set a password and click Next.
Then specify a name for the file and location.
And finally finish.
Specify the path of the file on next screen and click Next,
Specify the password for the file and click Next,
Make sure you choose the second option on the Certificate store screen, and click Next
And then finish.
Now back to the ISA console, trying to select the imported certificate on the web listener is successful
You can notice that the private key is correctly installed.
Moreover testing the rule is giving successful completion.
To verify access through the Reverse Proxy:
Open a Web browser, type the URLs in the Address bar that are used by clients to access the
Address Book files, Live Meeting content and Distribution Group expansion where
https://externalwebfarmFQDN is the external FQDN of the reverse proxy server.
• For Address Book Server type https://externalWebFarmFQDN/abs/ext User should
receive an HTTP challenge.
• For Web conferencing, type https://externalWebFarmFQDN/conf/ext/Tshoot.html
This URL should display the troubleshooting page for Web conferencing.
• For group expansion type
https://externalWebFarmFQDN/GroupExpansion/ext/service.asmx User should receive an HTTP challenge.