I can’t believe its already been three years since I installed our first Lync 2010 edge server, but the certificate expiry is in the near future, so the time has passed quickly.
The documentation for the certificate request, generation and assignment was flaky, so I had to dig deep in my mind to drag out what to do when installing a certificate in Lync, especially the Lync edge server. If you are also having problems remembering what to do, or you have never tried it before, then this blog post is for you.
Lync 2013 certificates can be configured using the Lync management shell, or using the Certificate Wizard in the Lync Deployment Wizard. I used the Certificate Wizard since it is the easiest.
This is what the wizard looked like before I had the new certificate.
Expiry was a month in the future, so to be sure that we had a working certificate come June 1st, I started the renewal process.
Note that the friendly name is CPHOCSEDGE001 as that is the external DNS name of the edge server, since we decided to keep that name even though we upgraded to Lync. We have partners which don’t have open federation. They have registered the edge server using the DNS name, and we didn’t want to go through the hassle of changing DNS names with them.
Click the “Request” button to start the Certificate Request wizard.
Since this certificate request is for the external side of the Lync edge server, the certificate needs to be trusted by external clients. It can’t be generated by your Active Directory Certification Authority, unless your CA certificate is trusted by clients not part of your AD.
So in the wizard, select “Prepare the request now, but send it later (offline certificate request)”. Then select a filename to store the certificate request (CSR). Don’t check “Use alternate certificate template for the selected certification authority” unless your CA requires this.
Give the certificate a friendly name that you can remember later on (it will be the one listed in the Certificate Wizard main window), and fill out the next steps with your company information.
On the “Subject name / Subject Alternative Names” note how many SANs are listed – the price of the UC certificate will be based on the number of SANs. Lync 2013 makes it easy for you to create certificate requests which contain all the correct Subject Alternative Names (SANs), but you may have to add more manually later in the wizard, if your DNS configuration requires it, or you have multiple SIP Domains etc.
Finally, after all the wizard steps have been completed, you are left with a CSR file that you need to submit to your CA.
We use Comodo for the UC certificate, since they were one of the cheapest when we started our Lync deployment, but I have also used GoDaddy and others for certificates, and they all seem fine to me.
Comodo’s interface for managing certificates is the worst of the ones I have used, but even then (if you know what you are doing), it gets the job done. The current certificate was listed in their SSL management page, and I assumed that I could just click “Renew” and paste in the new CSR, pay the bill and be done. Big mistake! It’s not possible to renew UC Certificates from there, as I found out after having shelled out $277 for an incorrect certificate. Fortunately Comodo was quick about refunding the money later, after I had figured out that I needed to buy a UC certificate license from their site.
Anyway, when you purchased have a UC certificate license (in that process you need to know how many SANs the certificate needs – remember to include the Subject Name as one of the SANs), you need to input the CSR on the CA’s web page, and wait for them to generate the certificate.
When you have the certificate, you need to import it to the Lync edge server. You might think that you should use the “Process Pending Certificate” button in the Certificate Wizard, but you would be incorrect. That is used for online requests that have to be manually approved on the AD CA. Instead you should click “Import Certificate”, and browse to the CER or CRT file that you got from your CA. If you got one of those formats, then the file does not contain the private key, and you should uncheck the box from the import wizard.
After importing the certificate, you must assign it to a server interface. Select “External edge” and click “Assign”.
The Certificate Assignment wizard will display all certificates installed on the computer. If you have several installed, you can find it by checking the Issue date. Select the newly imported certificate, and click Next a few times.
Finally, you can see that the newly generated certificate has been assigned to the external edge, and you are good to go.
All the steps above except the actual certificate assignment can be done in business hours. But when you assign the new certificate, external clients will get error messages until they sign in again, so you should wait to do the certificate assignment until out of hours.
Great post. One question though. What if you have two edge servers. Can you import the same certificate from the CA on both edge servers? Are there any requirements to the extension name of the certificate .cer, .p7b, .pfx??
Thank you very much
It’s been a while since I did this, and I don’t work with Skype for Business at the moment. If the two servers share the DNS name, then you should be able to use the same certificate.
The filename that I got from our CA had the .cer extension, although I’m pretty sure that the Windows certificate import wizard also reads the other format (at least I know it supports .pfx files)