New-CsStaticRoute TLSCertIssuer and TLSCertSerialNumber (Network Steve Forum)

New-CsStaticRoute TLSCertIssuer and TLSCertSerialNumber

I am trying to use a non default certificate with New-CsStaticRoute and Set-CsStaticRoutingConfiguration without luck. It seems to accept anything for TLSCertIssuer and TLSCertSerialNumber for New-CSStaticRoute as long as the format is right but then I get this error when trying to use it

PS C:\Users\wcadmin> Set-CsStaticRoutingConfiguration -Route @{Add=$staticRoute}

Set-CsStaticRoutingConfiguration : Object reference not set to an instance of
an object.
At line:1 char:1
+ Set-CsStaticRoutingConfiguration -Route @{Add=$staticRoute}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-CsStaticRoutingConfigurat
   ion], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Rtc.Mana
   gement.Internal.SetStaticRoutingConfigurationCmdlet

Is there any way to trace how OCS is doing the lookup or anywhere to see concrete examples (ie with actual certificates and command line instead of placeholders or general text)? I'm not sure what component to check in the logging tool but haven't had any luck.

Thanks

February 15th, 2013 10:41pm

Hi,

Please have a try use the correct certificate Serial Number for TLSCertSerialNumber. You can get the Serial Number of the certificate with the cmdlet: Get-CSCertifica

Free Windows Admin Tool Kit Click here and download it now

February 18th, 2013 9:07am

So, here is the output of get-cscertificate

Issuer           : CN=IntegLyncVoiceCA, DC=IntegLyncVoice, DC=com
NotAfter         : 10/16/2013 11:52:26 AM
NotBefore        : 10/17/2011 11:52:26 AM
SerialNumber     : 11E4B16B000230000004
Subject          : CN=LyncFELyncVoice.IntegLyncVoice.com, OU=Home, O=XXX, L=Los Angeles, S=California, C=US
AlternativeNames : {sip.IntegLyncVoice.com, LyncFELyncVoice.IntegLyncVoice.com,
                    dialin.integlyncvoice.com, meet.integlyncvoice.com}
Thumbprint       : 15C3D72A930049CE421E98234832E8387BFC8C6F
Use              : Default

This is the default certificate so I could use UseDefaultCertificate for this, but suppose it was not the default and I wanted to use it:

What would be the corresponding use of New-CSStaticRoute be? I don't know how to format the options for TLSCertSerialNumber and TLSCertIssuer. My guesses have failed so I'd like a clear example to check against.

The documentation for TLSCertSerialNumber shows a partial example but TLSCertIssuer does not.

Edited by rccdev Monday, February 18, 2013 3:39 PM

February 18th, 2013 3:38pm

So, here is the output of get-cscertificate

This is the default certificate so I could use UseDefaultCertificate for this, but suppose it was not the default and I wanted to use it:

The documentation for TLSCertSerialNumber shows a partial example but TLSCertIssuer does not.

Edited by rccdev Monday, February 18, 2013 3:39 PM

Free Windows Admin Tool Kit Click here and download it now

February 18th, 2013 3:38pm

So, here is the output of get-cscertificate

This is the default certificate so I could use UseDefaultCertificate for this, but suppose it was not the default and I wanted to use it:

The documentation for TLSCertSerialNumber shows a partial example but TLSCertIssuer does not.

Edited by rccdev Monday, February 18, 2013 3:39 PM

February 18th, 2013 3:38pm

So, here is the output of get-cscertificate

This is the default certificate so I could use UseDefaultCertificate for this, but suppose it was not the default and I wanted to use it:

The documentation for TLSCertSerialNumber shows a partial example but TLSCertIssuer does not.

Free Windows Admin Tool Kit Click here and download it now

February 18th, 2013 6:38pm

Hi,

If the certificate isn't the default certificate. You need to install the certificate on the server and find the certificate's SeriaNumber like this:

February 25th, 2013 9:14am

I already know how to find the issuer and serial number as seen in your screenshot.

What would be the corresponding use of New-CSStaticRoute be for your example screenshot?

I don't know how to format the options for TLSCertSerialNumber and TLSCertIssuer.

Set-CsStaticRoutingConfiguration seems to reject all the routes I have been able to create using new-csstaticroute and TLSCertSerialNumber and TLSCertIssuer because it has inadequate error checking.

Free Windows Admin Tool Kit Click here and download it now

February 25th, 2013 5:06pm

I am having the same problem. I think I know what the proper command-line is, but I also see the error, "Object reference not set to an instance of an object."

This is what I've done. (1) I ran request-certificate, which completed successfully, and I can see the new certificate in the certificate MMC management snap-in. (2) The serial number shows up like this

So I convert that serial number to 0x70,0x33,0x86,0x93,0x00,0x05,0x00,0x00,0x02,0x8f for the powershell command-line, following the example from the new-csstaticroute documentation.

(3) I run command which completes successfully (real domain names changed for privacy).

$tlsroute = new-csstaticroute -tlsroute -destination sipserver1.example.com -port 5061 -matchuri example.com -usedefaultcertificate $false -tlscertissuer "CN=Litware Inc. Certificate Authority, DC=litware, DC=com" -tlscertserialnumber 0x70,0x33,0x86,0x93,0x00,0x05,0x00,0x00,0x02,0x8f

(4) Then I run this command which fails.

Set-CsStaticRoutingConfiguration -route @{add=$tlsroute}

Set-CsStaticRoutingConfiguration : Object reference not set to an instance of an object.
At line:1 char:33
+ Set-CsStaticRoutingConfiguration <<<< -route @{add=$tlsroute}
+ CategoryInfo : NotSpecified: (:) [Set-CsStaticRoutingConfiguration], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Rtc.Management.Internal.SetStaticRoutingConfigurationCmdlet

----------------------

I've also tried setting the -TlsCertIssuer to just "Litware Inc. Certificate Authority", but that results in the same error. I am unable to find a concrete example of how to use the -TlsCertIssuer and -TlsCertSerialNumber options.

May 15th, 2013 7:46pm

I know this is old but did you get it working. I am trying to get the same thing going here, and I keep getting the error:

I don't see any documentation on using the "IssuedCertId"?

Free Windows Admin Tool Kit Click here and download it now

July 1st, 2013 3:46pm

I'm seeing the same issue. I followed the Example 3 from http://technet.microsoft.com/en-us/library/gg398265.aspx if no luck... Has anyone got this to work without using the DefaultCertificate?

Set-CsStaticRoutingConfiguration : The element 'TLS' in namespace
'urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008' has invalid child
element 'IssuedCertId' in namespace
'urn:schema:Microsoft.Rtc.Management.BaseTypes.2008'. List of possible
elements expected: 'UseDefaultCert, IssuedCertId' in namespace
'urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008'.
At line:1 char:1
+ Set-CsStaticRoutingConfiguration -Identity Global -Route @{Add=$staticRoute}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Global:String) [Set-CsStaticRoutin
gConfiguration], XmlSchemaValidationException
+ FullyQualifiedErrorId : InvalidData,Microsoft.Rtc.Management.Internal.Se
tStaticRoutingConfigurationCmdlet

February 26th, 2014 9:08pm

Hi ,

am running into the same issue ...any sol

Free Windows Admin Tool Kit Click here and download it now

July 1st, 2014 12:52pm

The XML element that the command is generating is using a wrong namespace for the node, causing that problem. Huge bug!

You can workaround by overriding the node name back to the correct namespace, with something like this:

$tlsroute.element.firstnode.firstnode.firstnode.name = "{urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008}IssuedCertId"

"$tlsroute" is whatever variable name you used to store the generated routed before you try to add it to configuration

Not very fancy but worked for me.

Proposed as answer by Juane2001 9 hours 20 minutes ago

July 8th, 2015 6:08pm

The XML element that the command is generating is using a wrong namespace for the node, causing that problem. Huge bug!

You can workaround by overriding the node name back to the correct namespace, with something like this:

$tlsroute.element.firstnode.firstnode.firstnode.name = "{urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008}IssuedCertId"

"$tlsroute" is whatever variable name you used to store the generated routed before you try to add it to configuration

Not very fancy but worked for me.

Proposed as answer by Juane2001 Wednesday, July 08, 2015 10:06 PM

Free Windows Admin Tool Kit Click here and download it now

July 8th, 2015 10:06pm

The XML element that the command is generating is using a wrong namespace for the node, causing that problem. Huge bug!

You can workaround by overriding the node name back to the correct namespace, with something like this:

$tlsroute.element.firstnode.firstnode.firstnode.name = "{urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008}IssuedCertId"

"$tlsroute" is whatever variable name you used to store the generated routed before you try to add it to configuration

Not very fancy but worked for me.

Proposed as answer by Juane2001 Wednesday, July 08, 2015 10:06 PM

July 8th, 2015 10:06pm

The XML element that the command is generating is using a wrong namespace for the node, causing that problem. Huge bug!

You can workaround by overriding the node name back to the correct namespace, with something like this:

$tlsroute.element.firstnode.firstnode.firstnode.name = "{urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008}IssuedCertId"

"$tlsroute" is whatever variable name you used to store the generated routed before you try to add it to configuration

Not very fancy but worked for me.

Proposed as answer by Juane2001 Wednesday, July 08, 2015 10:06 PM

Free Windows Admin Tool Kit Click here and download it now

July 8th, 2015 10:06pm

This topic is archived. No further replies will be accepted.