none
Certificate question RRS feed

  • Question

  • This is my first Skype deployment. 

    Skype for business 2015, Server 2016.

    I don't have an internal CA.

    For SIP domains, I have contoso.local.

    The external URL is name.contoso.com

    Will the internal URL's be visible on the certificate outside of the organization?

    When I publish a certificate, will it show the servername.contoso.local or name.contoso.com?

    Should I add name.contoso.com to the SIP domains in the topology builder?

    When I create the certificate, I'll have to submit it to a 3ed party CA myself or is it part of the installer? Is there a cost?

    Thanks

    Tuesday, November 19, 2019 5:01 AM

All replies

  • Hi Susan773!

    Question 1: Will the internal URL's be visible on the certificate outside of the organization?

    By default, the internal URL can’t be visible on the certificate outside of the organization, it was used for internal access.

    Question 2: When I publish a certificate, will it show the servername.contoso.local or name.contoso.com?

    In the Front End Server, the certificate requires you to have all SANs listed for each web service and real time service in addition to server or pool names. Actual requirements depend on whether you are deploying a Standard Edition Front End server or an Enterprise Edition Pool.

    Question 3: Should I add name.contoso.com to the SIP domains in the topology builder?

    Is contoso.com your external domain? If it is, you can add it to additional supported domains in Skype for Business Topology Builder. More than one SIP domain can exist at a time.

    Question 4: When I create the certificate, I'll have to submit it to a 3ed party CA myself or is it part of the installer? Is there a cost?

    If you want to create the certificate, you can use MMC to complete it. The following article shows how to do it.

    https://help.incontact.com/17.1/Content/inContactConnectorSkypeForBusiness/CreateaCertificateinSkypeforBusinessServerUsingMMC.htm

    For more details about Skype for Business deployment and Certificate requirement, you can refer to the following article:

    http://blog.schertz.name/2015/06/sfb2015deploy1/

    http://blog.schertz.name/2015/06/sfb2015deploy2/

    https://commsverse.blog/2015/08/29/skype-for-business-certificate-requirements-the-definitive-guide/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Tuesday, November 19, 2019 9:37 AM
  • Thanks for the response.

    Should I re-publish my topology and internal DNS using only external domain URL's to avoid the internal URL's from being visible in the certificate? In topology builder, download existing topology, change URL's, publish?

    When trying to make a certificate in the MMC, I am unable to as I have no certificate types available.

    So I do need a SAN certificate signed by an external CA for Skype to work and there are no self-signed options available like in Exchange?

    In the 2 links for the setup, is jdskype.net their internal or external domain name?

    If I need a paid SAN, can I use the same one I use for Exchange to save cost? Exchange would be mail.contoso.com and autodiscover.contoso.com. Skype would be nametba.contoso.com. Would pool.contoso.com, etc. need to be in the certificate as well?

    If I were to setup a server with the AD CS role, would that be able to generate a SAN for Exchange and Skype? I have not used that role before.


    • Edited by Susan_773 Tuesday, November 19, 2019 3:57 PM
    Tuesday, November 19, 2019 2:51 PM
  • Hi Susan773!

    Question 1: Should I re-publish my topology and internal DNS using only external domain URL's to avoid the internal URL's from being visible in the certificate? In topology builder, download existing topology, change URL's, publish?

    In my experience, this operation is executable.

    The following link shows about Request/Renewing Skype for Business Server 2015 Certificates:

    https://blogs.technet.microsoft.com/uclobby/2015/05/15/renewing-skype-for-business-server-2015-certificates/

    Question2So I do need a SAN certificate signed by an external CA for Skype to work and there are no self-signed options available like in Exchange?

    In my research, when you install a new Exchange server is comes pre-configured with a self-signed certificate, but in Skype for Business Server there is no self-signed options available like in Exchange.

    Question3: In the 2 links for the setup, is jdskype.net their internal or external domain name?

    The jdskype.net is the internal domain name in the 2 links for the setup.

    Question4If I were to set up a server with the AD CS role, would that be able to generate a SAN for Exchange and Skype? I have not used that role before.

    From your description, you have not used the AD CS Role before. We highly recommend you add this role before Skype for Business Server deployment. For more details about add AD CS role operation, you can refer to the following link:  

    https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Friday, November 22, 2019 8:50 AM
  • Hi,
    Is there any update on this case?
    Please feel free to drop us a note if there is any update.
    Have a nice day!

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Wednesday, December 4, 2019 11:30 AM