Create and Install Certificates
Like all other roles in Lync Server, the Director communicates to other servers in the organization using Mutual Transport Layer Security (MTLS). To leverage MTLS, the Director needs at least one certificate installed meeting a few requirements. A separate certificate can be used for each function, or a single certificate for MTLS and web services meeting the following requirements can be used:
• The subject name should contain the pool’s fully qualified domain name (FQDN).
• The server name should be included as a subject alternative name.
• If the internal or external web services FQDN differs from the pool name, it should also be included as a subject alternative name.
• All supported SIP domains must be entered as a subject alternative name in the format sip.<SIP domain>.
• Any simple URLs that terminate at the Director should be included as a subject alternative name. These will typically be the meet, dialin, lyncdiscover, and admin URLs.
The certificate wizard in Lync Server 2013 will automatically populate the subject name and any required subject alternative names based on the published topology, which greatly simplifies certificate confusion created by prior versions. If only one certificate will be used for the default, internal web services, and external web services, then the subject alternative names must be manually added when the wizard is run.
Use the following steps to request and assign the necessary certificates:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight the Default certificate and click the Request button to start the Certificate Request Wizard.
Note
It is possible to expand the Default certificate option and individually request the server default, web services internal, and web services external certificates. This is generally not required, and using a single certificate for all three functions is sufficient and saves on management overhead.
3. Click Next to continue.
4. Select either an online certificate request and certificate authority, or an offline certificate request and file path for the request. Click Next. The following steps here assume that an internal certificate authority is used to generate the request.
5. If user credentials other than the logged-on user are required to create the certificate request, check the box Specify Alternate Credentials for the Certification Authority. Enter a username and password and click Next. This is typically used in large environments where the Lync administrator does not have rights to request certificates.
6. If the default WebServer template will not be used, check the box Use Alternate Certificate Template for the Selected Certification Authority and enter the certificate template name. The template name, not the template display name, should be entered here. The template should already be published and available on the certificate authority issuing the certificate. In most cases the default WebServer template will be sufficient and there is no need to check this box.
7. Enter a friendly name for the certificate for identification purposes.
8. Select a key bit length of either 1024, 2048, or 4096.
9. If the certificate should be exportable, select the check box Mark Certificate Private Key as Exportable. This should be selected for Director pools with multiple members so that the same certificate can be installed on each pool member.
10. Enter an organization name, typically the name of the business.
11. Enter an organizational name, typically the name of a division or department, and click Next.
12. Select a country, enter a state or province, enter a city or locality, and click Next.
13. Review the automatically populated subject name and subject alternative names. Click Next.
14. Check the box for each configured SIP domain that will use the Director pool. Each selected SIP domain will add a subject alternative entry name for sip.<SIP Domain> to the certificate. Click Next.
15. Add additional subject alternative names if necessary; or if the pool configuration has been published, all required subject alternative names will be automatically added and the step can be skipped. Click Next.
16. Review the certificate request summary screen for accuracy and when satisfied click Next.
17. The Lync Management Shell commands will be displayed and the user can optionally review the certificate request log. Unless the request failed, this is not necessary. Click Next.
18. Leave the Assign This Certificate to Lync Server Certificate Usages check box selected to skip straight to the certificate assignment wizard. Click Finish to complete the request process.
Note
It might not seem intuitive, but to process a response to an offline certificate request, use the Import Certificate button found at the bottom of the Certificate Wizard. If a request to an online certificate authority is in a pending state, the Process Pending Certificates button will be available to complete those requests.
Certificates issued from an online certificate authority will be installed automatically. If an offline request was performed, first copy the certificate authority response to the server. Then use the Import Certificate button found at the bottom of the wizard to complete the process.
1. Click Browse and select the certificate authority response.
2. Uncheck the Certificate File Contains the Certificate’s Private Key check box. Click Next.
3. Review the import certificate summary and click Next.
4. Click Finish to complete the process of associating the private key and certificate authority response.