Certificate Management for your ICE Server

(1)

Version 2.23.301 Contact:

(2)

2

The Certificate Management for the ICE Server supports the ability to import certificates into the local machine store, request and retrieve domain certificates from a certification authority, generate self-signed certificates, as well as bind and unbind certificates. The tool displays only the certificates located in the personal directory of the local machine store.

The Certificate Management can be found on the Configuration/General Tab of the ICE Server Configuration Tool.

(4)

4

1.1 Server Certificate Status

When viewing the Certificate Management within the ICE Server Configuration Tool, the certificate status for the ICE server will be display in the top left corner of the tool.

1.2 Bound Certificate Highlighting

All certificates in the personal directory of the local machine store will be displayed in the list. Any certificates that are bound will be highlighted green and the ports which they are bound to will display in the Ports column.

(5)

2 Installing a Certificate

2.1 Import a Certificate

Certificates can be imported into the local machine store. This step assumes that you’ve already

requested and received a certificate from a third party authorized provider or domain certificate (See later sections on how to acquire a certificate)

1. Press the “Import Certificate..." button on the top right of the certificate management dialog. 2. Clicking the button will cause an Open File Dialog to appear. Select a certificate to Import. 3. You will be prompted to enter a password after selecting a certificate to import if it is required. 4. A success message will appear after the certificate has been imported.

(6)

6

2.2 Bind a Certificate

This step assumes that you have your certificate imported on the ICE server already.

1. Highlight a certificate within the certificate list.

2. The “Bind Certificate…” button will become active. Press the button. 3. Confirm that you wish to bind the certificate to the current port.

4. The newly bound certificate will be highlighted green, and the current server port will be added to the list of bound ports for that current certificate.

(7)

2.3 Converting to/from secure protocol after ICE is already installed

Note: This section ONLY applies to previously installed ICE Servers.

If the ICE server was previously install and configured without a certificate, updates will have to be made to the CRM configuration to reflect http/https protocol change once the certificate is installed.

Salesforce: Once the certificate is installed and bound and the ICE service started; 1) Go into the Runtime Administration page, “Salesforce” tab.

2) Go into the “Call Center Profiles”. 3) Download the Call Center(s) again

4) Within Salesforce, remove the old copies of the Call Center(s). 5) Import the updated versions and re-assign the users respectively. MSCRM: Once the certificate is installed and bound and the ICE service started;

1) Within the ICE Configuration Tool, go to the “Integrations” tab and press the "Generate" to get the new solution

2) In Dynamics, go into "Settings", "Solutions" 3) Delete the old ICE solution

4) "Import" the new version

5) Then click "Publish All Customizations"

6) Go into the Runtime Administration page, “MSCRM” tab.

7) If there are any CTI Profiles besides the “Default” in use, download the Configuration file and replace it in Dynamics as per the instructions there.

(8)

8

3 Additional Certificate Management Functionality

3.1 Unbind a Certificate

1. Highlight a certificate within the certificate list.

2. The “Unbind Certificate…” button will become active. Press the button.

3. If the certificate was bound to more than one port, a dialog will appear to select which port you wish to unbind.

(9)

3.2 Request Domain Certificate/

Retrieve Pending Domain Certificate Request

Note: This feature is available to users running Windows Server 2008 and above. For unsupported operating systems the "Request Domain Certificate..." button will not be visible.

Note: The ‘Create Certificate Request” button will be disabled if there are no pingable certification authorities present.

A request for a domain certificate can be submitted to a certification authority through the "Create Certificate Request" button.

From here, you can do three things:

 Create a domain certificate request.

 Retrieve a pending domain certificate request.

 Create a third party certificate request to be saved and submitted to a certificate provider. Once a certificate type is selected the options for the certificate type will appear.

(10)

10

3.2.1 Domain Certificate

To create a Domain Certificate Request:

1. Browse to the domain’s Certification Authority. 2. Enter a Friendly Name

3. Fill in the “Distinguishing Name Properties

a. Enter the Fully qualified domain name of the server “ICE.local.com” b. Enter your organization name for this site for example “test site”

c. Enter your Organization unit for this we server for example “main office” d. Enter your City / location

e. Enter your State/Province

f. Enter your Country code for example CA or US 4. Select the type of certificate request

a. Cryptographic type = RSA b. Bit Length = 2048

5. Press finish to submit the Domain Certificate Request

3.2.2 Pending Certificate

To check on a Pending Domain Certificate Request: 1. Choose the pending request.

2. Click Retrieve. This will return the status of the pending request. If the certificate is ready and can be retrieved, the certificate will be installed to the server.

3.2.3 Third-Party Certificate

To create a Third Party Certificate Request:

3. Browse to a file location and enter a name you’d like to save the request as 4. Fill in the “Distinguishing Name Properties

a. Enter the Fully qualified domain name of the server “ICE.local.com” b. Enter your organization name for this site for example “test site”

c. Enter your Organization unit for this we server for example “main office” d. Enter your City / location

e. Enter your State/Province

f. Enter your Country code for example CA or US 5. Select the type of certificate request

a. Cryptographic type = RSA b. Bit Length = 2048

6. Press finish to save the request file.

(11)

3.3 Complete Certificate Request

Complete a previously created certificate request:

1. Browse to for the file containing the certification authority’s response. 2. Enter a Friendly Name

(12)

12

3.4 Generate Self-Signed Certificate

Note: This feature is available to users running Windows Server 2008 and above. For unsupported

.

For

unsupported operating systems the "Generate Self-Signed Certificate..." button will not be visible. Note: Self-signed certificates can be useful for testing and Q/A environments but should not be used for deployed call center environments.

Generating a self-signed certificate can be done from within the tool. As with a domain certificate the name of the certificate will be the same as the host name of the ICE server. When the button is pressed a self-signed certificate will be created and installed into the machine store. It will also appear in the list of certificates for the user to choose from.

3.5 Additional Features

Right-clicking on the list of certificates will allow the user to refresh the list of certificates to reflect any changes.

Double-clicking on any certificate will bring up a dialog that contains detailed information about the selected certificate.

A status bar on the bottom of the list displays the currently displayed certificate. Clicking on the status bar will cause a drop down menu to appear with the options to toggle showing bound certificates or showing all certificates.

(13)

4 Additional Certificate Information

The following is additional information about certificates that can be done outside of the Configuration Management of ICE Configuration Tool.

4.1 Creating a new Certificate Server for your Domain – Windows

2008 R2

This steps requires you use a standalone box and have experience with windows server install. ● Setup new VM / computer with Windows 2008 R2

● Join the machine to your domain and make sure you have a unique name for the machine for example “CertServer01”

● Open Roles – Start -> Administrator tools -> server manager. Expand roles on the left side menu and then select “add roles link

1. Select next on the first window

2. Select “Active Directory Certificate Services”

3. Select “Certification Authority” and “Certification Authority Web Enrollment” Options 4. Select the “Enterprise” Option as the machine is part of the domain

5. Select “Root CA” as this will be its own sign Certificate server for the local domain 6. Select “Create a New Private Key”

7. Select the type of encryption

a. RSA #Microsoft Software Key Storage Provider b. 4096 Key length

c. SHA256 Hash Algorithm

8. Enter the name of the server – Should inherit the name of the hostname. “CertServer01” 9. Select the age of the Certificate age – Should be double to the length that you think you

will need before replacing your Certificate server. 6 years.

10. Enter the location of where the server will store the databases- Local drive is ok if it’s on Raid system that is backed up

(14)

14

4.2 Verify the install of the Certificate Server on your Domain

● Login to any domain computer other than the certificate server ● Run MMC from the start menu and select the following options

a. Double click on Certificates

b. Select option “Computer Account”

c. Select option “Local computer”

d. Finish

● Expand the menu “Trusted Root Certification Authorities -> Certificates ● Look for your new server name with the list

4.3 References

Refer to the following Video on YouTube for further in depth detail on how the certificates are controlled and signed.

Certificate Services / 2008 R2 - SSL Part 1

http://www.youtube.com/watch?v=8VMaunUqSt0

Certificate Services / 2008 R2 - SSL Part 2

http://www.youtube.com/watch?v=2WT_7jtBZbY William Grismore at ITVideoCoach.com

Certificate Management for your ICE Server