Certificates for Microsoft Lync

Microsoft Lync is a new tool for enterprises communication. It securised configuration requires several official certificates (web and lync flow) and internal ones for communication between servers.

Certificate for web flow

You must get this certificate via FrontEnd Lync. Then copy/paste it on TMG reverse proxy.

Get this certificate with the powershell:

1. Generate a CSR
   Request-CsCertificate -New -Type WebServicesExternal -Country FR -State « Rhone » -City « Lyon » -FriendlyName « Lync WebExternal Cert » -KeySize 2048 -PrivateKeyExportable $True -Organization « My organization » -Output C:\Certificates\WebServicesExternal.csr
   
   
2. Import the certificate and the certification chain
   Import-CsCertificate -Path « c:\Certificates\p7-0123456789-12345.p7b » -PrivateKeyExportable $True
   
   
3. Export and Importer on TMG

Note that you must order a UC kind of certificate (SAN) and provide (see SIP domain configuration):

• The FQDN of the web access
• The FQDN of the phone access
• The FQDN of the meeting access

Certificate for lync flow

You must get this certificate via FrontEnd Lync.

Get this certificate with the powershell:

1. Generate a CSR
   Request-CsCertificate -New -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -Country FR -State « Rhone » -City « Lyon » -FriendlyName « Lync Edge External Single Cert » -KeySize 2048 -PrivateKeyExportable $True -Organization « My organization » -DomainName « sip.muorganization.com » -Output C:\Certificates\WebServicesExternalSingle.csr
   
   
2. Import the certificate and the certification chain
   Import-CsCertificate -Path « c:\Certificates\p7-0123456789-12345.p7b » -PrivateKeyExportable $True
   
   
3. Activate the certificate
   Set-CSCertificate -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -Thumbprint XXXX
   
   

Notes

Note that you must order a UC kind of certificate (SAN) and provide (see external parameters configuration):

• The FQDN of the SIP access
• The FQDN of the Edge Web conference service access
• The FQDN of the A/V service access

If you really want a Wildcard kind of certificate, consult Microsoft specifications here: http://technet.microsoft.com/en-us/library/hh202161.aspx

In order to use the same certificate on 2 platforms (e.g. Lync 2013 Frontal and Lync 2013 Edge), you must create an exportable private key while generating your CSR. See Microsoft recommendations here: http://technet.microsoft.com/fr-FR/library/gg398920.aspx . You'll then install the certificate on one of your platform and export the certificate (and its private key) to install it on other platforms.

Frequently encountered problems

"revocation check failed"

This issue is caused by Exchange that wants to check the CRL during the certificate importation. If its tool (using WinHTTP) can't access the web, the operation fails.

Troubleshoot: See our FAQ about OCSP protocol support

Lync Server Access Edge service fails to start with: “… service-specific error code -2146762487”

If you see the following message: Windows could not start the Lync Server Access Edge on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -2146762487., then it is probably that there's an error with the certification chain. You can confirm the cause if you can see the following error in the error logs:

The Lync Server Access Edge service terminated with the following service-specific error: 
A Certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

You then need to check that the root and intermediate certificates are in Windows' stores. If a certificate is missing you can install it manually

Links

• Configure a Windows Server 2008