Public Key Infrastructure for Lync Server 2010
Topic Last Modified: 2012-10-14
Microsoft Lync Server 2010 relies on certificates for server authentication and to establish a chain of trust between clients and servers and among the different server roles. The Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003 public key infrastructure (PKI) provides the infrastructure for establishing and validating this chain of trust.
Certificates are digital IDs. They identify a server by name and specify its properties. To ensure that the information on a certificate is valid, the certificate must be issued by a CA that is trusted by clients or other servers that connect to the server. If the server connects only with other clients and servers on a private network, the CA can be an enterprise CA. If the server interacts with entities outside the private network, a public CA might be required.
Even if the information on the certificate is valid, there must be some way to verify that the server presenting the certificate is actually the one represented by the certificate. This is where the Windows PKI comes in.
Each certificate is linked to a public key. The server named on the certificate holds a corresponding private key that only it knows. A connecting client or server uses the public key to encrypt a random piece of information and sends it to the server. If the server decrypts the information and returns it as plain text, the connecting entity can be sure that the server holds the private key to the certificate and therefore is the server named on the certificate.
Note: Not all public CAs comply with the requirements of Lync Server 2010 certificates. We recommend that you refer to the listing of certified Public CA vendors for your public certificate needs. For details, see Microsoft Knowledge Base article 929395, "Unified Communications Certificate Partners," at http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395.
CRL Distribution Points
Lync Server 2010 requires all server certificates to contain one or more Certificate Revocation List (CRL) distribution points. CRL distribution points (CDPs) are locations from which CRLs can be downloaded for purposes of verifying that the certificate has not been revoked since the time it was issued and the certificate is still within the validity period. A CRL distribution point is noted in the properties of the certificate as a URL, and is typically secure HTTP.
Enhanced Key Usage
Lync Server 2010 requires all server certificates to support Enhanced Key Usage (EKU) for the purpose of server authentication. Configuring the EKU field for server authentication means that the certificate is valid for the purpose of authenticating servers. This EKU is essential for MTLS. It is possible to have more than one entry in the EKU, enabling the certificate for more than one purpose.
The Client Authentication EKU is required for outbound MTLS connections from Live Communications Server 2003 and Live Communications Server 2005, but it is no longer required. However, this EKU must be present on Edge Servers that connect to AOL by means of public IM connectivity.