Sign in
 
HomeOnline20132010Interop ProgramsLibraryForumsGalleryLync Blogs
TechCenter >
Edge Certificate Not Appearing After Import

Answered Edge Certificate Not Appearing After Import

  • Friday, August 10, 2012 8:29 PM
     
     
    Sign In to Vote
    0

    Having trouble assigning a public certificate to the Edge External Interface.

    I imported the Root CA Cert. to Computer Store along with intermediate CA Cert. and imported the Certificate issued using the Lync Wizard. However when I go to assign, nothing shows as being available. Is it because this type of cert. was purchased? http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-essentialssl.html instead of a UCC or should this work as well?

    Had no problems with this assigning a public cert to my front end pool. But those were both UCC certs.

     

All Replies

  • Friday, August 10, 2012 9:27 PM
     
     
    Sign In to Vote
    0
    Sounds like a private key issue.  You can check this link to help you verify private key and repair if necessary:

    http://howdouc.blogspot.com/2010/12/repairing-invalid-certificate-for.html

    Also, you can use Digicert utility to help view and repair certs (even if they aren't digicert certificates):

    https://www.digicert.com/util/

    Tim Harrington | Lync: MCM/MVP | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

     
  • Friday, August 10, 2012 9:36 PM
     
     
    Sign In to Vote
    0

    I went in and deleted all the certs that were imported in to  Personal --> Certificates

    Did I just hose this request?

    I don't understand I followed the instructions exactly for "Set up Certificates for the External Edge Interface"

     
  • Friday, August 10, 2012 9:46 PM
     
     
    Sign In to Vote
    0
    The cert, I imported didnt have a private key, I ran the repair, then he had one, still doesn't show up on assign.
     
  • Friday, August 10, 2012 9:48 PM
     
     
    Sign In to Vote
    0
    All of the files provided by the public CA were .CRT files and were imported into MMC as such
     
  • Friday, August 10, 2012 10:04 PM
     
     
    Sign In to Vote
    0
    Did you try running the Digicert utility?  Does the cert show healthy?

    Tim Harrington | Lync: MCM/MVP | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

     
  • Saturday, August 11, 2012 4:12 PM
     
     
    Sign In to Vote
    0

    Ok, here's a full report of what I did. Per this Technet article: http://technet.microsoft.com/en-us/library/gg398409.aspx

    1.  Created Request for Public CA for External interface of Edge Server

    Note: I only included sip.lync.domain.com as the Subject and SAN because we are using 1 FQDN and IP address for all. I ensured "Mark certificate private key as exportable" was checked.

    2. This request was sent off to our public CA where we purchased a Comodo Essential SSL cert (not a UCC) cert. Does this cause problems? http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-essentialssl.html

    3. The public CA responded with 4 different files, I imported the Root and Intermediate Certs in their respective areas via MMC Certificates console on the Edge Server. I made sure I selected "Computer Account" and "Local"

    •    Root CA Certificate - AddTrustExternalCARoot.crt
    •    Intermediate CA Certificate - UTNAddTrustSGCCA.crt
    •    Intermediate CA Certificate - ComodoUTNSGCCA.crt
    •    Intermediate CA Certificate - EssentialSSLCA_2.crt

    4. I then used the certificate wizard in Lync to import the final .crt that was provided  "Your EssentialSSL Certificate - sip_lync_domain_com.crt"

    I was confused by this part "If the certificate contains a private key, select Certificate file contains certificate’s private key and type the password for the private key" I guess I randomly generate a password here? There was not prompt to enter a password when generating the certificate request?

    The import goes successfully, however there are no certificates in the Certificates Personal store in MMC.

    However, if I go through IIS Manager, I can import the certificate there and it does show up in the Certificates Personal Store afterwards and it does say it has a private key associated. The certificate path all the way through shows "This certificate is OK"

    If I run the DigitCert util, it shows "Root and intermediate certificates are installed correctly"

    Why is this not working? I'm so confused, the Front-end pool was a breeze.

    • Marked As Answer by GoneLyncSane Saturday, August 11, 2012 4:35 PM
    • Unmarked As Answer by GoneLyncSane Saturday, August 11, 2012 4:35 PM
    •  
     
  • Saturday, August 11, 2012 4:35 PM
     
     
    Sign In to Vote
    0
    I have the feeling this might be the answer: http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/6730fba2-a0a2-4c55-a6bd-59f5128e1be9/
     
  • Sunday, August 12, 2012 3:45 PM
     
     
    Sign In to Vote
    0

    Probably you can run through the same sequence that I've blogged at one of my article: Renewing OCS 2007 R2 GoDaddy Certificate

    Hope this helps!

    James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com | Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

     
  • Sunday, August 12, 2012 6:17 PM
     
     
    Sign In to Vote
    0

    Yes, without the private key the Lync cert wizzard could not assign this certificate.

    You can check this, if you export this cert with the private key, if this key realy exist though the mmc.

    regards Holger Technical Specialist UC

     
  • Monday, August 13, 2012 2:21 PM
     
     
    Sign In to Vote
    0
    Can anyone verify 100% that it must be a UCC certified certificate to work?
     
  • Monday, August 13, 2012 4:12 PM
     
     
    Sign In to Vote
    0
    I can do this just fine in my dev enviornment with my internal CA just as a test. Only difference I see is the "intended use"
     
  • Tuesday, August 14, 2012 6:36 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Please make sure you have download the Certificate Chain from the Public CA and installed it on the edge server.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     
  • Tuesday, August 14, 2012 2:12 PM
     
     
    Sign In to Vote
    0
    Hi yes, this was done, we're going to try to request and install another certificate...sigh
     
  • Wednesday, August 15, 2012 6:20 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Welcome you post the result after you install another certificate.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     
  • Wednesday, August 15, 2012 4:51 PM
     
     Answered
    Sign In to Vote
    0
    This was easily resolved by requesting another certificate from another Public CA, installing the internal edge first and the external edge second. During the install I made sure not to check "includes private key" as thats for the other servers in the pool. Then I exported the keys via certificates MMC and imported to other edges in the pool selecting "includes private key" and entering the password. All is well.
    • Marked As Answer by GoneLyncSane Wednesday, August 15, 2012 6:20 PM
    •