Configuring Certificates for Standard Edition Servers
Topic Last Modified: 2011-10-28
When you run the Certificate Wizard, ensure that you are logged in using an account that is a member of a group that has been assigned the appropriate permissions for the type of certificate template you will use. By default, a Lync Server certificate request will use the Web Server certificate template. If you use an account that is a member of the RTCUniversalServerAdmins group to request a certificate using this template, verify that the group has been assigned the Enroll permissions required to use that template.
To successfully complete this procedure you should be logged in as a user who is a member of the RTCUniversalServerAdmins group or have the correct permissions delegated. For details, see Delegate Setup Permissions. Depending on your organization and requirements for requesting certificates, you may require other group memberships. Consult with the group that manages your public key infrastructure (PKI) certification authority (CA).
Lync Server 2010 support includes support for SHA-256 certificates for connections from clients running the Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 operating systems, in addition to Lync 2010 Phone Edition. To support external access using SHA-256, the external certificate is issued by a public CA using SHA-256.
Servers running Lync Server 2010, Standard Edition require three certificates, a default certificate, a web internal certificate, and a web external certificate. For details about the certificate requirements, see Certificate Requirements for Internal Servers in the Planning documentation. Use the following procedure to request, assign, and install the Standard Edition server certificates.
The following procedure describes how to configure certificates from an internal enterprise root CA deployed by your organization and with offline request processing. For information about obtaining certificates from a public CA, see Certificate Requirements for Internal Servers in the Planning documentation. Also, this procedure describes how to request, assign, and install certificates during setup of a Standard Edition server. If you requested certificates in advance, as described in the Request Certificates in Advance (Optional) section of this Deployment documentation or do not use an internal enterprise root CA deployed in your organization to obtain certificates, you must modify this procedure as appropriate.
To configure certificates for a Standard Edition server
In the Lync Server Deployment Wizard, click Run next to Step 3: Request, Install or Assign Certificates.
On the Certificate Wizard page, click Request.
On the Certificate Request page, click Next.
On the Delayed or Immediate Requests page, accept the default Send the request immediately option by clicking Next.
On the Choose a certificate Authority (CA) page, you will be presented with the name of the first CA in your environment that is detected. You can select this CA, or you can select another detected CA in your organization from the Certificate Authority list, and then click Next.
On the Certificate Authority Account page, you are prompted for credentials to request and process the certificate request at the CA. You should have determined if a user name and password is necessary to request a certificate in advance. Your CA administrator will have the required information and may have to assist you in this step. If you need to supply alternate credentials, select the check box, provide a user name and password in the text boxes, and then click Next.
On the Specify Alternate Certificate Template page, to use the default Web Server template, click Next.
If your organization has created a template for use as an alternative for the default Web server CA template, select the check box, and then enter the name of the alternate template. You will need the template name as defined by the CA administrator.
On the Name and Security Settings page, specify a Friendly Name that should allow you to identify the certificate and purpose. If you leave it blank, a name will be generated automatically. Set the Bit length of the key, or accept the default of 2048 bits. Select the Mark the certificate’s private key as exportable if you determine that the certificate and private key needs to be moved or copied to other systems, and then click by clicking Next. This name should contain a reference to the computer or purpose. If you leave it blank, a name will be generated automatically.
Lync Server 2010 has minimal requirements for an exportable private key. One such place is on the Edge Servers in a pool, where the Media Relay Authentication Service uses copies of the certificate, rather than individual certificates for each instance in the pool.
On the Organization Information page, optionally enter organization information, and then click Next.
On the Geographical Information page, optionally enter geographical information, and then click Next.
On the Subject Name / Subject Alternate Names page, review the subject alternative names that will be added, and then click Next.
On the SIP Domain setting page, select the SIP Domain check box, and then click Next.
On the Configure Additional Subject Alternate Names page, add any additional required subject alternative names, including any that you think might be required for additional SIP domains in the future, and then click Next.
On the Certificate Request Summary page, confirm that the information on the summary screen is correct, and then click Next.
On the Executing Commands page, click Next.
On the Online Certificate Request Status page, click Finish.
On the Certificate Assignment page, click Next. Optionally, you can view the certificate by double-clicking the certificate in the list. You might want to do this to confirm that what you believe you requested is what was actually received from the CA. In particular, confirm the subject name, the subject alternative names, and that there is a private key associated with the certificate.
On the Certificate Assignment Summary page, click Next.
On the Executing Commands page, click Finish.
On the Certificate Wizard page, click Close.