After installing or renewing your DigiCert public certificate for your OCS 2007 Edge server(s), PIC stops functioning properly (however, Remote Access still works correctly).
This issue occurs if the certificate issued uses the Certificate Authority listed below:
Root: DigiCert Global CA (2048), Intermediate Root: Entrust.net Certificate Authority (2048)
It will work if DigiCert issues certificate from the Certificate Authority below:
Root: Entrust.net Secure Server Certificate Authority, Intermediate Root: DigiCert Global CA
DigiCert is aware of this issue, and is collaborating with Microsoft to ensure our mutual OCS customers experience minimal to no impact. DigiCert has made a change on their end to solve this problem moving forward.
If you are encountering this issue, you will need to reissue and replace any certificates which are issued from the "DigiCert Global CA (2048)" certificate. DigiCert has made a change so your replacement certificate(s) will descend from the correct Entrust.net root certificate for PIC. For help with any part of this process, please engage DigiCert support, either via web chat, phone, or e-mail at firstname.lastname@example.org.
After re-applying this certificate to your Edge server, and you still find that your PIC-related issues are still occurring, please restart Edge Front-End services first. Allow me to apologize for this up front; I understand this will require an “emergency service restart change request” for some of you.
If all this fails to resolve the PIC issue, please engage Microsoft Customer Support Services. Premier customers: please leverage your Technical Account Manager to initiate the case creation process.
Please be prepared to supply Edge Server logs, remote access via our EasyAssist applications from MSFT, and we will do our best to investigate and resolve this in a timely manner.
Kudos to Paul Tiemann @ DigiCert for his tenacity & helpfulness ...
Could this also affect certificates straight from Entrust? We're trying to replace an expiring certificate and any new cert we get from them derives from their 2048 bit root. We see PIC problems when we choose the new cert.
Indeed, and we're trying to work through these issues.
Currently, if the public-facing cert on your Edge is 2048-bit signed, or if it is rooted against a 2048-bit signed CA (non-Intermediate), PIC fails.
I'll post more info as we make progress in this area ...
I believe there are two workarounds. Entrust had me remove the 2048 bit root cert and instead import an additional entrust Intermediate authority. This had the effect of altering the chain so that the new cert rooted back to their 1024 bit root.
Another option would have been to request a cert that expired before Dec 31, 2010. These certs root back to their 1024 root. Anything after then will have the 2048 bit root.
I'm sure I mangled something in the translation, but the gist should be correct. We chose the first option and it worked for us.
ran into the issue with aol today, ms support says to replace the cert from the 1024 chain. i have it installed and am getting ready to change it in ocs.... what is going to happen to ocs when i click next? you say I may need to restart the front end services? what does that affect, just outside facing im'ing?
Currently, that's correct, in that our interopability with AOL via PIC is currently blocked with 2048-bit certificate signing; that is, neither your certificate nor the Root CA can be a 2048-bit signed cert. If you have a case open w/us in Support, please contact me offline (via the contact form) with your case number, and I'll validate your issue.