locked
can one certificate used across frontend servers? RRS feed

  • Question

  • Hi Guys:

    our certificates on Skype for business servers are about to expire. I'm looking to renew them.

    we have 3 Frontends in Frontend pool. and we don't have an internal CA, all our certificates are from public CA.

    my question is

    1 can we use one single certificate across frontends? currently they are using same certificate, with 3 servers' FQDN listed under SAN. I have read some articles saying you can't do it. So I'm bit confused now.

    what about like mediation and PChat , we have two servers in each pool. Do they need a new certificate for each server?


    2 I know that after renewing certs in frontends, we need to restart the frontend service. Do we need to do this for other pools as well? E.g mediation pool, edge pool.


    Thanks heaps
    Friday, July 8, 2016 2:56 AM

Answers

  • 1. Yes you can use one certificate for all FE. The CN should be the pool name and all fe fqdn should be added as SAN.

    2. You need for all SFB server a certificate. The Edge need also a certificate for the public names for access, wwb.


    regards Holger Technical Specialist UC

    • Proposed as answer by Liinus Friday, July 8, 2016 10:46 AM
    • Marked as answer by RogerChen84 Sunday, July 10, 2016 10:48 PM
    Friday, July 8, 2016 5:16 AM
  • Hi Roger, 

    As Holger suggested , one certificate would be enough for your servers in the pool as long you have the Server names in the SAN entry as it would be easy to manage as well during renewal. Oauth Certificate is seperate that you jus need to request once it will get automatically replicated to other servers as  well.  You can check the Get-csCertificate Command to confirm that the new certificate thumbprint got assigned to the services.At minimum a restart of the associated services is recommended, but as is a general best practice anytime a certificate is replaced in the Lync environment a full reboot of the server sooner than later is also recommended for good measure. Also  request import and assign certifiactes using the  Lync Deployment Wizard.


    Linus || Please mark posts as answers/helpful if it answers your question.

    • Marked as answer by RogerChen84 Sunday, July 10, 2016 10:48 PM
    Friday, July 8, 2016 10:46 AM

All replies

  • 1. Yes you can use one certificate for all FE. The CN should be the pool name and all fe fqdn should be added as SAN.

    2. You need for all SFB server a certificate. The Edge need also a certificate for the public names for access, wwb.


    regards Holger Technical Specialist UC

    • Proposed as answer by Liinus Friday, July 8, 2016 10:46 AM
    • Marked as answer by RogerChen84 Sunday, July 10, 2016 10:48 PM
    Friday, July 8, 2016 5:16 AM
  • Thanks Holger.

    1 What is the best practice here? use one certificate across all FE? or one certificate for each FE?

    I also suppose i should request a seperate certificate for Oauth as well.

    Also, when i renew my mediation certificates, can I do the same thing? one certificate across 2 Mediation servers?

    2 What I was trying to ask was after renewing certificates on mediation/edge pool, do I need to reboot servers?

    Thanks a lot

    Friday, July 8, 2016 8:52 AM
  • Hi Roger, 

    As Holger suggested , one certificate would be enough for your servers in the pool as long you have the Server names in the SAN entry as it would be easy to manage as well during renewal. Oauth Certificate is seperate that you jus need to request once it will get automatically replicated to other servers as  well.  You can check the Get-csCertificate Command to confirm that the new certificate thumbprint got assigned to the services.At minimum a restart of the associated services is recommended, but as is a general best practice anytime a certificate is replaced in the Lync environment a full reboot of the server sooner than later is also recommended for good measure. Also  request import and assign certifiactes using the  Lync Deployment Wizard.


    Linus || Please mark posts as answers/helpful if it answers your question.

    • Marked as answer by RogerChen84 Sunday, July 10, 2016 10:48 PM
    Friday, July 8, 2016 10:46 AM