locked
Certificate Renewal and Issues RRS feed

  • Question

  • My Certificate renewal is coming up and I just want to verify one I am doing things right and two I found an issue I need to get corrected with the certificates.

    1. I opened the Deployment Wizard and went to "Install or Update Lync Server System" Then I clicked on "Run Again" under "Request, Install, or Assign Certificates". I walk through the process of the request and add the following domains to the request:

    access.domain.com
    www.access.domain.com
    meet.domain.com
    ucupdates-r2.domain.com
    domain.com
    lswebext01.domain.com
    sip.domain.com
    webconf.domain.com
    lswebext02.domain.com
    lyncdiscover.domain.com
    dialin.domain.com

    The problem is when I get done and decode the request to make sure it looks like the initial one we did during install last year the common name last year was access.domain.com and this year it is lswebext01.domain.com does that make a difference? Do I check make exportable?

    2. We have two "Lync in a Box" devices. I was told during the install that the second one was not really functioning as any kind of fail over or load balancer. I found out different from another company which I have been trying to get approval for paid support from. While going over the Certificate Renewal process and documenting it. I found that the second box has the internal self signed certificate installed on the "Web Service External" I also noticed the LyncFileShare is not the same. What is the process for getting the external certificate fixed once I renew it? Could this be causing some of my issues?


    • Edited by Dbrill Monday, February 8, 2016 4:01 PM grammer
    Monday, February 8, 2016 3:41 PM

Answers

  • I got this working. I had to make the request on the edge server then export to all the other servers and it worked.
    • Marked as answer by Eric_YangK Sunday, February 14, 2016 11:59 AM
    Friday, February 12, 2016 3:49 PM

All replies

  • Hm, You have one internal Lync Server and no Lync Edge server?

    You need one internal certificate for your internal services and one publich certificate for your external services for Edge and reverse proxy.

    You can use one public certificate for your reverse proxy and edge. You can always use the deployment wizzard on the Lync server for the internal certificate and the deploymnet wizzard on the Lync edge server. On the Lync edge server you enbale the export option to export the certificate for your reverse proxy.


    regards Holger Technical Specialist UC

    • Proposed as answer by Eric_YangK Tuesday, February 9, 2016 2:28 AM
    Monday, February 8, 2016 4:27 PM
  • Yes, sorry I have the internal web interface using the internal CA. I was just worrying about the Edge server at this point. The internal is not expiring yet. The External is what I am trying to renew now and found the second Edge server and Reverse Proxy are not using the "External" CA cert.
    Monday, February 8, 2016 4:46 PM
  • Ok, Sorry your right I looked that the edger servers and it is correct it has the cert but the front end servers one has the External CA cert for the external interface and the other us using the internal CA for the external interface.
    Monday, February 8, 2016 5:02 PM
  • Hi Dbrill,

     

    You should only use the Public certificate for the Edge external interface and Reverse Proxy, all other Lync Servers should use the private certificates issued from your internal CA.

    In addition, if you decide to use one Public certificate for both the Edge and Reverse Proxy, the common name of this certificate should be the Access Edge service external interface fully qualified domain name.

     

    Best regards,

    Eric


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, February 9, 2016 2:38 AM
  • I have followed the steps provided by many websites and made sure I checked the certificate as exportable private keys. But when I import it the certificate one it says success two it does not show up in the assign window... I went in to certmgr and installed it there into the personal folder of the computer account. installs just fine I can not assign after that nor can I export the private keys. Not sure what I am doing wrong but I am sure I am. I downloaded the IIS version from GOdaddy. Any Ideas?

    I made the request from the Deployment wizard on the front end server. What certificates get installed on the FE server? I have one that has the godaddy cert and one that does not. I know I need the godaddy on the edge external interface and the reverse proxy but I am unclear about the FE.
    Wednesday, February 10, 2016 3:24 PM
  • I got this working. I had to make the request on the edge server then export to all the other servers and it worked.
    • Marked as answer by Eric_YangK Sunday, February 14, 2016 11:59 AM
    Friday, February 12, 2016 3:49 PM