On a recent project that I have been doing I have discovered that certificate request for OCS have many of the headaches that LCS has had. I wanted to point out that there are two specific things worth noting.
That the Client Web Access requires that the SAN cert (if you go that route) requires that the SAN primary address be the INTERNAL name of the server. For example if your server internail is called owa.internal.com and the external address is represented by im.mycompany.com, that you use both names on a SAN certificate but you use im.mycompany.com as the SAN name.
If you do not the wizard for installing the cerificate used by OCS will not take the certficate that you import (in other words use the external name as the primary address and the internal name as the SAN) and issue an error that complains about ‘the certificate does not have the FQDN of the server".
The reason for this is the how TLS in OCS works when it establishes a session with other servers in the OCS chain. TLS will use the primary FQDN of the server (which in this case it was the internal namespace of the sever, cwa.internal.com). When I tried the SAN cert with the external name, im.mycompany.com, it would fail.
After speaking with Microsoft, this behavior was explained to me as I stated.
