Digital Certificate Configuration
Speech Server enables Mutual Trusted Layer Security (TLS) to be applied to communications between Speech Server and SIP peers, such as VoIP gateways. Mutual TLS requires the use of a certificate to properly authenticate both ends of the connection, a process known as mutual server authentication. Authentication must succeed or a communication link is not established between the Mutual TLS enabled SIP Peer and Speech Server.
Using the Speech Server Administrator console, you can make Speech Server aware that Mutual TLS is enabled on a particular SIP peer. When enabled, a certificate is required to allow appropriate authentication between Speech Server and the SIP peer.
For Mutual TLS communications, you must acquire a digital certificate from an appropriate Certificate Authority. Next, for each computer running Speech Server, use the Speech Server Administrator console to select the certificate to be used on that computer (under Speech Server properties). Then, use the Speech Server Administrator console to add a global SIP peer or go to the SIP peer???s Properties dialog box to enable Mutual TLS.
You can obtain a digital certificate through third parties, such as VeriSign, or through the use of the Windows Certificate Authority (CA).
Certificate Services offers two types of CAs: enterprise CAs and stand-alone CAs, which carry different features. A Microsoft Windows Server 2003 Public Key Infrastructure (PKI) can consist of both types of CAs, which is often recommended for the enterprise environment. A comparison of strengths of the enterprise CA and the stand-alone CA can help you decide what CA type is required for which role.
For a detailed description of the various CAs supported, certificate requirements, and recommendations regarding which type of CA to use, see Microsoft Office Communications Server 2007 Speech Server Help.
Speech Server does not support a Microsoft Windows 2000 enterprise CA. When an enterprise CA is used, Speech Server requires that the Computer template be duplicated and modified. Windows 2000 enterprise CAs do not support modification of the Computer template.
Speech Server supports the following CAs:
???Windows Server 2003 Enterprise CA
???Windows Server 2003 Stand-alone CA
???Windows 2000 Stand-alone CA
???External (public) CAs
Speech Server uses the same run-time certificate management infrastructure as Microsoft Office Communicator Server. For certificate selection, Speech Server provides its own selection user interface through the Speech Server Administrator console.
Although the enabling of Mutual TLS is managed for each SIP peer, each computer running Speech Server requires its own certificate. Only one certificate is maintained for a given computer running Speech Server and it is reused with each Mutual TLS interaction.
Certificate selection is configured through the Speech Server Administrator console by navigating to the servers container in one of the deployment groups. Select a server, and then click Display Properties to display the Server Properties dialog box.
The Select Certificate dialog box displays the certificates in the root of the computer certificate store on the target server. Also, only certificates matching the following criteria are shown:
The intended purpose must include server authentication.
The certificate name is the server's fully qualified domain name (FQDN).
The date-time stamps make the certificate currently valid.
In the Server Properties dialog box, click Select certificate to open the Certificate Selection dialog box, where you can select a certificate. To display the certificate properties, click View certificate.
The View certificate button is enabled if Use Mutual TLS is selected and a certificate is specified. When clicked, the Properties dialog box of the selected certificate opens.