Friday, August 10, 2012 8:29 PM
Having trouble assigning a public certificate to the Edge External Interface.
I imported the Root CA Cert. to Computer Store along with intermediate CA Cert. and imported the Certificate issued using the Lync Wizard. However when I go to assign, nothing shows as being available. Is it because this type of cert. was purchased? http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-essentialssl.html instead of a UCC or should this work as well?
Had no problems with this assigning a public cert to my front end pool. But those were both UCC certs.
Friday, August 10, 2012 9:27 PMSounds like a private key issue. You can check this link to help you verify private key and repair if necessary:
Also, you can use Digicert utility to help view and repair certs (even if they aren't digicert certificates):
Friday, August 10, 2012 9:36 PM
I went in and deleted all the certs that were imported in to Personal --> Certificates
Did I just hose this request?
I don't understand I followed the instructions exactly for "Set up Certificates for the External Edge Interface"
Friday, August 10, 2012 9:46 PMThe cert, I imported didnt have a private key, I ran the repair, then he had one, still doesn't show up on assign.
Friday, August 10, 2012 9:48 PMAll of the files provided by the public CA were .CRT files and were imported into MMC as such
Friday, August 10, 2012 10:04 PM
Saturday, August 11, 2012 4:12 PM
Ok, here's a full report of what I did. Per this Technet article: http://technet.microsoft.com/en-us/library/gg398409.aspx
1. Created Request for Public CA for External interface of Edge Server
Note: I only included sip.lync.domain.com as the Subject and SAN because we are using 1 FQDN and IP address for all. I ensured "Mark certificate private key as exportable" was checked.
2. This request was sent off to our public CA where we purchased a Comodo Essential SSL cert (not a UCC) cert. Does this cause problems? http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-essentialssl.html
3. The public CA responded with 4 different files, I imported the Root and Intermediate Certs in their respective areas via MMC Certificates console on the Edge Server. I made sure I selected "Computer Account" and "Local"
• Root CA Certificate - AddTrustExternalCARoot.crt
• Intermediate CA Certificate - UTNAddTrustSGCCA.crt
• Intermediate CA Certificate - ComodoUTNSGCCA.crt
• Intermediate CA Certificate - EssentialSSLCA_2.crt
4. I then used the certificate wizard in Lync to import the final .crt that was provided "Your EssentialSSL Certificate - sip_lync_domain_com.crt"
I was confused by this part "If the certificate contains a private key, select Certificate file contains certificate’s private key and type the password for the private key" I guess I randomly generate a password here? There was not prompt to enter a password when generating the certificate request?
The import goes successfully, however there are no certificates in the Certificates Personal store in MMC.
However, if I go through IIS Manager, I can import the certificate there and it does show up in the Certificates Personal Store afterwards and it does say it has a private key associated. The certificate path all the way through shows "This certificate is OK"
If I run the DigitCert util, it shows "Root and intermediate certificates are installed correctly"
Why is this not working? I'm so confused, the Front-end pool was a breeze.
Saturday, August 11, 2012 4:35 PMI have the feeling this might be the answer: http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/6730fba2-a0a2-4c55-a6bd-59f5128e1be9/
Sunday, August 12, 2012 3:45 PM
Probably you can run through the same sequence that I've blogged at one of my article: Renewing OCS 2007 R2 GoDaddy Certificate
Hope this helps!
James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com | Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
Sunday, August 12, 2012 6:17 PM
Yes, without the private key the Lync cert wizzard could not assign this certificate.
You can check this, if you export this cert with the private key, if this key realy exist though the mmc.
regards Holger Technical Specialist UC
Monday, August 13, 2012 2:21 PMCan anyone verify 100% that it must be a UCC certified certificate to work?
Monday, August 13, 2012 4:12 PMI can do this just fine in my dev enviornment with my internal CA just as a test. Only difference I see is the "intended use"
Tuesday, August 14, 2012 6:36 AMModerator
Please make sure you have download the Certificate Chain from the Public CA and installed it on the edge server.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Tuesday, August 14, 2012 2:12 PMHi yes, this was done, we're going to try to request and install another certificate...sigh
Wednesday, August 15, 2012 6:20 AMModerator
Wednesday, August 15, 2012 4:51 PMThis was easily resolved by requesting another certificate from another Public CA, installing the internal edge first and the external edge second. During the install I made sure not to check "includes private key" as thats for the other servers in the pool. Then I exported the keys via certificates MMC and imported to other edges in the pool selecting "includes private key" and entering the password. All is well.
- Marked As Answer by GoneLyncSane Wednesday, August 15, 2012 6:20 PM