locked
Lync SSL certificates (One SAN for Edge and Frontend?) RRS feed

  • Question

  • I'm in the process of generating public SSL certificates for our enterprise Lync environment. We are running a pool of frontend servers, edge servers, mediation servers, and director servers.

    My question is can I generate one UCC SAN with like 10 domains and use them for all the servers that need it or will I have to have one SAN for like the Edge servers, one SAN for the front-end servers, and one for the director servers?

    Thursday, February 13, 2014 6:49 PM

Answers

  • You can use one big certificate, but you may want a different subject name for different roles (specifically between the edge and front end)  Many third party cert authorities will allow you to reissue another copy of the cert to do this as long the names inside the cert don't change.

    For the front end, you'll want the common name (or subject name) to be the pool name:

    http://technet.microsoft.com/en-us/library/gg398094.aspx

    For the edge, you'll want the access edge name as the subject name.

    http://technet.microsoft.com/en-us/library/gg398920.aspx


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications


    • Edited by Anthony CaragolMVP Thursday, February 13, 2014 7:17 PM
    • Proposed as answer by Georg Thomas Thursday, February 13, 2014 7:27 PM
    • Marked as answer by Quadrantids Thursday, February 13, 2014 8:32 PM
    Thursday, February 13, 2014 7:17 PM

All replies

  • You can use one big certificate, but you may want a different subject name for different roles (specifically between the edge and front end)  Many third party cert authorities will allow you to reissue another copy of the cert to do this as long the names inside the cert don't change.

    For the front end, you'll want the common name (or subject name) to be the pool name:

    http://technet.microsoft.com/en-us/library/gg398094.aspx

    For the edge, you'll want the access edge name as the subject name.

    http://technet.microsoft.com/en-us/library/gg398920.aspx


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications


    • Edited by Anthony CaragolMVP Thursday, February 13, 2014 7:17 PM
    • Proposed as answer by Georg Thomas Thursday, February 13, 2014 7:27 PM
    • Marked as answer by Quadrantids Thursday, February 13, 2014 8:32 PM
    Thursday, February 13, 2014 7:17 PM
  • Yeah we are using GoDaddy and it doesn't seem like you can change the subject name even if they are in the subject alternate name. I just spoke with them.

    Do you know a good one off the top you head that will allow this?

    It seems like with Godaddy I will have to order 3 seperate SAN certificate just because they don't allow the subject name to change to one of the SAN names and a SAN name change to the subject name without rekeying and revoking the old certificate

    Thursday, February 13, 2014 7:24 PM
  • Digicert does this I believe, the but extra cost might make it more in the end.

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    Thursday, February 13, 2014 7:25 PM
  • To be clear, I'd suggest this instead:

    Use an internal certificate authority for the front end and director.

    Get a single cert for your edge, with the meet.domain.com, lyncdiscover.domain.com, etc simple URLs in it.

    Use the same edge cert for your reverse proxy back to the internal boxes.

    It will save a bit of money and allow you to be more flexible internally.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    Thursday, February 13, 2014 7:29 PM
  • I am using an internal SSL for all internal services. External is what I was a little confused about.

    When I went to each server this is what the request auto populated:

    Front End:

    web.domain.com (common)
    dialin.domain.com
    meet.domain.com
    Lyncdiscover.domain.com

    Edge:
    sip.domain.com (common)
    webconf.domain.com
    domain.com

    Director

    webdir.domain.com (common)
    dialin.domain.com
    meet.domain.com
    lyncdiscover.domain.com

    So I was thinking I had to have three certificates (if I went with Godaddy) because I cannot change the common name

    Thursday, February 13, 2014 7:32 PM
  • Keep using internal certs for the front end and director pools.  You'll need to publish these externally, but do that through a reverse proxy.  When you're proxying web traffic externally to the front end, it won't matter what your common name is as long as the FQDNs are SANs in the cert.

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    Thursday, February 13, 2014 7:35 PM
  • Agree with Anthony about using an internal CA for internal roles and using the same public CA issued cert for  your Edge/Reverse proxy boxes. Just remember to drop the root certificate for your internal CA on the non-domain joined boxes (reverse proxy/edge) to prevent any certificate trust issues.

    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog www.lynced.com.au | Twitter @imlynced

    Thursday, February 13, 2014 7:35 PM
  • I probably should of mentioned this earlier but this is for Lync 2013 Hosting pack. I don't believe this makes any difference because it is pretty much like an on-premisesdeployment and not like the Lync 2010 hosting pack was. Everything from outside still goes through the edge
    Thursday, February 13, 2014 7:48 PM
  • That's fine, this should all still be valid. 

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications


    Thursday, February 13, 2014 7:56 PM
  • Great! So i'm going to find one that I can change the common name without revoking the certificate.

    So just to verify for external SSL (sorry to be a pain):

    Domains:
    web.domain.com
    dialin.domain.com
    meet.domain.com
    lyncdiscover.domain.com
    sip.domain.com
    webconf.domain.com

    Front end common name
    web.domain.com

    Director common name
    webdir.domain.com

    Edge common name
    sip.domain.com

    So I have one certificate and i'm just changing the common name (which doesn't cost money)

    Thursday, February 13, 2014 7:59 PM
  • Wait rereading your first post it doesn't matter if its the common name as long as its in the subject name
    Thursday, February 13, 2014 8:14 PM
  • It does matter, but if you use internal certs on the front end and directors, then only the edge and reverse proxy will need the third party.  Of the edge and reverse proxy, only the edge cares about the subject name.  So you're down to one cert.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    Thursday, February 13, 2014 8:25 PM
  • Ahhh! Thank you! Sorry I wasn't catching on quick enough :-\
    Thursday, February 13, 2014 8:32 PM
  • Nah, it's confusing the first time.  Come back if you hit any issues!

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    Thursday, February 13, 2014 8:42 PM