PKI and Certificates in Lync Server 2010

Handling of certificates has greatly improved in Lync Server when compared to OCS.

Firstly, let us look at what certificates are used for in Lync Server.

• TLS connections between client and server
  
• MTLS connections between servers
  
• Federation using automatic DNS discovery of partners
  
• Remote user access for instant messaging (IM)
  
• External user access to audio/video (A/V) sessions, application sharing, and conferencing
  

Some Lync roles require certificates issued by Certificate Providers, while many roles can use certificates issued from an internal CA.

Microsoft has verified a number of Certificate Providers who issue (sell) public certificates that are UC compatible; the current list is available here

Certificates for Internal Servers

Certificates for Standard Edition Server

Certificate	Subject name/ Common name	Subject alternative name	Example	Comments
Default	FQDN of the pool	FQDN of the pool and the FQDN of the server	SN=se01.contoso.com; SAN=se01.contoso.com	On Standard Edition server, the server FQDN is the same as the pool FQDN. The wizard detects any SIP domains you specified during setup and automatically adds them to the SAN.
Web internal	FQDN of the server	Each of the following: Internal web FQDN simple URLs	SN=se01.contoso.com; SAN=se01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com	Internal web FQDN cannot be overwritten in Topology Builder.
Web external	FQDN of the server	Each of the following: External web FQDN simple URLs	SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com	If you have multiple Meet simple URLs, you must include all of them as SAN.

Certificates for Front End Server in a Front End Pool

Certificate	Subject name/ Common name	Subject alternative name	Example	Comments
Default	FQDN of the pool	FQDN of the pool and FQDN of the server.	SN=eepool.contoso.com; SAN=eepool.contoso.com; SAN=ee01.contoso.com	The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternative Name.
Web Internal	FQDN of the server	Each of the following: Internal web FQDN simple URLs	SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com	Internal web FQDN cannot be overwritten in Topology Builder.
Web external	FQDN of the server	Each of the following: External web FQDN simple URLs	SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com	If you have multiple Meet simple URLs, you must include all of them as SAN.

Certificates for Director

Certificate	Subject name/ Common name	Subject alternative name	Example
Default	FQDN of the Director pool	FQDN of the Director/ Director pool	SN=dir-pool.contoso.com; SAN=dir-pool.contoso.com; SAN=dir01.contoso.com
Web Internal	FQDN of the server	Each of the following: Internal web FQDN simple URLs	SN=dir01.contoso.com; SAN=dir01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com
Web external	FQDN of the server	Each of the following: External web FQDN simple URLs	The Director external web FQDN must be different from the Front End pool or Front End Server. SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

Certificates for External Servers

Certificates for Edge

Certificate	Subject name/ Common name	Subject alternative name	Example
Default	FQDN of the Access Edge	FQDN of the Access Edge FQDN of Web Conferencing Edge	SN=access.contoso.com; SAN=access.contoso.com; SAN=webcon.contoso.com; SAN=sip.contoso.com; SAN=sip.fabrikam.com
Internal Interface	FQDN of the Access Edge internal	None	SN=lsedge.contoso.com

 

Certificates for Reverse Proxy

Certificate	Subject name/ Common name	Subject alternative name	Example
Default	FQDN of the pool	FQDN of the pool simple URLs	SN=webext.contoso.com; SAN=webext.contoso.com; SAN=meet.contoso.com; SAN=dialin.contoso.com

 

Wildcard certificates are support but with a number of caveats and limitations. These limitations are not explicitly documented but Jeff Schertz has pulled together the available information and shows that in reality, wildcard certificates are of little benefit. However, this article has a very good explanation of how certificates requests are handled in Lync 2010, and explains in detail the Request-CsCertificate Powershell cmdlet.

To view assigned certificates in Lync 2010 requires a little work, which is documented on Inside OCS, basically you either have to run the installation wizard or use Powershell Get-CsCertificate | fl –property *.

The Powershell cmdlets available to manage certificates in Lync are:

Cmdlet	Description
Get-CsCertificate	Returns information about certificates on the local computers that have been configured for use with Microsoft Lync Server 2010.
Import-CsCertificate	Imports a certificate for use with Microsoft Lync Server 2010. If a certificate is not acquired by using the Request-CsCertificate cmdlet, then that certificate must be imported before it can be assigned to a Lync Server 2010 server role.
Remove-CsCertificate	Removes a certificate previously marked as being available for use by Microsoft Lync Server 2010.
Request-CsCertificate	Provides a way to request certificates for use with servers running Microsoft Lync Server 2010 and server roles. Also provides a way to check the status of existing certificate requests and, if needed, to cancel any (or all) of those requests.
Set-CsCertificate	Enables you to assign a certificate to a Microsoft Lync Server 2010 server or server role.
Test-CsCertificateConfiguration	Returns information about the Microsoft Lync Server 2010 certificates being used on the local computer.