locked
What will be the right certificates to buy ? RRS feed

  • Question

  • Hi All,

    I have been stuck for sometime and unable to decide which type of SSL certificate to buy. As per my understanding the requirements for SFB is SAN SSL certificate, however, i noticed there's many domain name required to be used as Subject Alternative and unsure how they communicate with each other during the certificate authentication process.

    With the cost involvement, 

    Below is my scenario of Skype for Business server deployment.

    • Single Standard Edition SFB Server (sfb.contoso.com, meet.contoso.com, dialin.contoso.com & etc)
    • (internal mapped using sfb.contoso.local)
    • Exchange Server (mail.contoso.com)
    • (internal mapped using mail.contoso.local)
    • However, I only own single domain name which is contoso.com & many subdomain
    • Single CA server hosted at internal AD server to manage all the certificate for all the servers (including Skype for Business Server, Exchange & etc)
    • Need to federate on-premise Skype for Business Server with Skype Server & O365 Server

    Currently most of my internal servers are using Self-Signed certificates including Skype for Business Server.

    Need advice on the above how do I decide which & how many types of SSL certificates to buy. My budget is quite limited, need to make the very minimal purchase for my deployment to work.

    Thanks & Regards.

    Friday, November 3, 2017 6:23 AM

Answers

All replies

  • Hi Dennis,

    Depending on your security requirement, you can request for each service a separate certificate.

    I would recommend one certificate for the edge server and one for the proxy

    edgeserver

    CN=sip.contoso.com

    SAN=sip.contoso.com,webconf.contoso.com,access.contoso.com

    proxy

    CN=mail.contoso.com

    SAN=mail.contoso.com,meet.contoso.com,dialin.contoso.com,sfb.contoso.com,lyncdiscover.contoso.com

    This should work for your scenario


    regards Holger Technical Specialist UC

    • Proposed as answer by Alice-Wang Monday, November 6, 2017 6:00 AM
    Saturday, November 4, 2017 12:38 AM
  • Hi Dennis Oo,

    Agree with Holger.

    Because Edge server is the required component for external access, so you need to assign public certificate for Edge server like Holger mentioned.

    For your SFB SE server, you could use the certificate assigned by internal CA.

    I will share a document about the certificate for Edge server and Reverse Proxy, it’s similar to SFB server 2015
    https://technet.microsoft.com/en-us/library/gg398920(v=ocs.15).aspx
    https://technet.microsoft.com/en-us/library/gg398519(v=ocs.15).aspx
    https://technet.microsoft.com/en-us/library/gg429704(v=ocs.15).aspx

    Hope this reply is helpful to you.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alice-Wang Tuesday, November 7, 2017 7:54 AM
    • Unproposed as answer by Alice-Wang Monday, November 13, 2017 9:22 AM
    • Proposed as answer by Alice-Wang Monday, November 13, 2017 9:22 AM
    • Marked as answer by Dennis Oo Saturday, April 28, 2018 3:32 PM
    Monday, November 6, 2017 6:12 AM
  • Hi dennis,

    Are there any update about this issue?

    If the reply is helpful to you, please mark it as an answer, it will help others who has similar issue, thanks.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alice-Wang Thursday, November 9, 2017 9:08 AM
    • Unproposed as answer by Alice-Wang Monday, November 27, 2017 9:58 AM
    • Proposed as answer by Alice-Wang Monday, November 27, 2017 9:58 AM
    Tuesday, November 7, 2017 7:55 AM
  • Hi Alice,

    Thank you for the reply.

    I just realize that this thread was replied.

    I did subscribe to the thread to be updated via email.

    But strangely I'm not receiving the notification.

    I'll mark it down and do some followup.

    Any updates, I'll post up here.

    Thanks & Regards.

    Saturday, April 28, 2018 3:30 PM
  • Hi Holger,

    Based on your reply.

    How do I know exactly how many certificates I need to buy ?

    Need more details on the calculation of certificate & how the SAN mapping is done.

    Thanks & Regards.

    Saturday, April 28, 2018 3:33 PM