Lync Server Certificate Requirements

Following are the primary uses for certificates within Lync:

• Communication between Lync clients and Lync servers is encrypted using TLS.

• Authentication between Lync 2013 servers, as well as authentication among Lync 2013 servers, Exchange 2013 servers, and SharePoint 2013 servers, uses server-to-server OAuth certificates.

• Communications between Lync servers is encrypted using MTLS.

• Automatic DNS discovery of partners for federation uses certificates for authentication.

• Remote or external user access for any Lync functionality is encrypted, including IM, audio/video (A/V) sessions, application sharing, and conferencing.

• A mobile request using automatic discovery of Web Services is encrypted.

Following are the common requirements that apply to the SSL certificates issued for use with Lync Server:

• All server certificates must support server authorization (Server EKU).

• All server certificates must contain a CRL Distribution Point (CDP).

• Auto-enrollment is supported for internal Lync servers, but is not supported for Lync Edge Servers.

• Key lengths of 1024, 2048, and 4096 are supported.

• Supported hash algorithms include RSA (the default), ECDH_P256, ECDH_P384, and ECDH_P521.

• All certificates are standard web server certificates, and must include the private key.

Following are the requirements that apply to the OAuth certificates issued for use with Lync Server:

• The certificate issued for OAuth must be the same across all Lync servers in the environment, and therefore the private key must be exportable for the certificate.

• A Web Server certificate that has the name of the SIP domain as subject can be used as an OAuth certificate.

• Generally, any Lync Server SSL certificate can also be used as an OAuth certificate, provided that all other requirements are met. However, if the default Lync Server certificate is used for both SSL and OAuth, it must be assigned twice, once for each certificate usage.