Lync Server 2013 的公用機碼基礎結構Public Key Infrastructure for Lync Server 2013

 

主題上次修改日期: 2013-11-13Topic Last Modified: 2013-11-13

Microsoft Lync Server 2013 依賴伺服器驗證的憑證,並在用戶端與伺服器之間,以及不同的伺服器角色間建立信任鏈。Microsoft Lync Server 2013 relies on certificates for server authentication and to establish a chain of trust between clients and servers and among the different server roles. Windows Server 2012 R2、Windows Server 2012、Windows Server 2008 R2、Windows Server 2008 及 Windows Server 2003 Public Key 基礎結構 (PKI) 提供基礎結構,用以建立及驗證此信任鏈。The Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 Public Key Infrastructure (PKI) provides the infrastructure for establishing and validating this chain of trust.

憑證是數位 IDs。Certificates are digital IDs. 它們會以名稱識別伺服器,並指定其屬性。They identify a server by name and specify its properties. 為了確保憑證上的資訊有效,憑證必須由用戶端或連接至伺服器的其他伺服器所信任的 CA 所發出。To ensure that the information on a certificate is valid, the certificate must be issued by a CA that is trusted by clients or other servers that connect to the server. 如果伺服器只與私人網路絡上的其他用戶端和伺服器連線,則 CA 可以是企業 CA。If the server connects only with other clients and servers on a private network, the CA can be an enterprise CA. 如果伺服器與私人網路絡外的實體互動,則可能需要公用 CA。If the server interacts with entities outside the private network, a public CA might be required.

即使憑證上的資訊有效,仍然必須以某種方式驗證提供憑證的伺服器確實是憑證所代表的伺服器。Even if the information on the certificate is valid, there must be some way to verify that the server presenting the certificate is actually the one represented by the certificate. 這是 Windows PKI 的所在位置。This is where the Windows PKI comes in.

每一個憑證都會連結到公開金鑰。Each certificate is linked to a public key. 憑證上命名的伺服器擁有只有本身知道的對應私密金鑰。The server named on the certificate holds a corresponding private key that only it knows. 連接的用戶端或伺服器會使用公開金鑰加密資訊的任意片段,並將它傳送至伺服器。A connecting client or server uses the public key to encrypt a random piece of information and sends it to the server. 如果伺服器解密資訊並將其傳回為純文字,則連接實體可以確定伺服器是否要將私密金鑰保留在憑證中,因此是憑證中命名的伺服器。If the server decrypts the information and returns it as plain text, the connecting entity can be sure that the server holds the private key to the certificate and therefore is the server named on the certificate.

注意

並非所有公用 Ca 都符合 Lync Server 2013 憑證的需求。Not all public CAs comply with the requirements of Lync Server 2013 certificates. 我們建議您參考已驗證的公用 CA 廠商清單,以滿足您的公用憑證需求。We recommend that you refer to the listing of certified Public CA vendors for your public certificate needs. 如需詳細資訊,請參閱整合通訊憑證合作夥伴,網址為 https://go.microsoft.com/fwlink/p/?LinkId=140898For details, see Unified Communications Certificate Partners at https://go.microsoft.com/fwlink/p/?LinkId=140898.

CRL 發佈點CRL Distribution Points

Lync Server 2013 要求所有伺服器憑證包含一或多個憑證吊銷清單 (CRL) 發佈點。Lync Server 2013 requires all server certificates to contain one or more Certificate Revocation List (CRL) distribution points. CRL 發佈點 (Cdp) 是可從中下載 Crl 的位置,目的在於驗證憑證自發行之後起尚未撤銷,且憑證仍在有效期限內。CRL distribution points (CDPs) are locations from which CRLs can be downloaded for purposes of verifying that the certificate has not been revoked since the time it was issued and the certificate is still within the validity period. CRL 發佈點會在憑證的內容中注明為 URL,且通常為安全的 HTTP。A CRL distribution point is noted in the properties of the certificate as a URL, and is typically secure HTTP.

增強型金鑰使用方式Enhanced Key Usage

由於伺服器驗證的目的,Lync Server 2013 需要所有伺服器憑證以支援增強型金鑰使用 (EKU) 。Lync Server 2013 requires all server certificates to support Enhanced Key Usage (EKU) for the purpose of server authentication. 設定 [伺服器驗證的 EKU] 欄位表示憑證是有效的,目的在於驗證服務器。Configuring the EKU field for server authentication means that the certificate is valid for the purpose of authenticating servers. 這個 EKU 對 MTLS 而言是必要的。This EKU is essential for MTLS. 您可以在 EKU 中有一個以上的專案,為憑證啟用一個以上的目的。It is possible to have more than one entry in the EKU, enabling the certificate for more than one purpose.

注意

即時通訊伺服器2003和即時通訊伺服器2005中的輸出 MTLS 連線需要用戶端驗證 EKU,但是不再需要。The Client Authentication EKU is required for outbound MTLS connections from Live Communications Server 2003 and Live Communications Server 2005, but it is no longer required. 不過,此 EKU 必須存在於透過公用 IM 連線方式連線到 AOL 的 Edge Server 上。However, this EKU must be present on Edge Servers that connect to AOL by means of public IM connectivity.