Tuesday, September 1, 2015

Creating Custom Certificate for Lync 2013 Server


In Lync 2013, we can create certificates using the certificate wizard from deployment wizard. The wizard collects URLs from the Lync 2013 topology and helps in creating  the certificate request. The URL always comes from Lync 2013 topology.

Lync 2013 front-end uses a set of internal URL and Lync 2013 edge server uses a different set of URLs that are external to the Lync topology. This means that the requirement for certificate URLs is different for internal and external to the Lync 2013 environment.

But sometimes you want to include URL that is different from what you have defined in the Lync 2013 topology builder. Suppose you have a second sip domain defined in topology builder, then it is difficult to include some URLs for the second sip domain in topology builder.

Two type of certificate authority - internal certificate authority like windows Enterprise certificate authority and public certificate authority like Godaddy, Comodo, etc.

In this article, Let us create a new custom certificate request for Windows enterprise certificate authority.

The Certificate Snap-in

The Certificate Snap-in is available in all windows computer. The certificate snap-in access the certificate store keep all the certificate for local computer, services and user accounts. We will use certificate snap-in to create certificate requests. To open certificate snap-in, open Run dialog and type MMC.

Run Dialog box

Once the MMC console is open, click File > Add/Remove Snap-in. In add/remove Snap-in, you must open one of the available snap-in.

Add/Remove Snap-in

Certificate Snap-in

Select the certificate snap-in and click Add
Select the certificate snap-in and click Add button to add the snap-in in selected snap-ins.
While you select the certificates snap-in make sure you read the description of the snap-in at the bottom to understand why it is being used.

Certificate Snap-in

We mentioned previously, that the certificate store keep certificates for uses, services and computers. Select the account for which you manage certificates in this snap-in.

Select computer account

We will select Computer account and select the computer for which we want to manage certificates. Notice that the snap-in allows connecting the remote computer and viewing their certificate store.

Select Local Computer

Now that the snap-in is added, click OK to open the snap-in.

Certificate Snap-in


Creating a custom certificate request

The next step is to create a custom certificate request for Lync 2013 front-end server. We have defined a set of URLs from Lync 2013 topology.

For example:-
These are the URLs available for wt.com sip domain.

Pool URL - pool.wt.com

Front-end server URL - <server name>.wt.com
Simple URL - meet.wt.com, dialin.wt.com
Mobility and client sign-in URL - Lyncdiscoverinternal.wt.com

Suppose we want to configure another sip domain, then we have to create a new custom certificate request.


Create Custom Certificate Request

Right click Personal > All Tasks > Advanced Operations > Create Custom Request....
This will open the certificate enrollment wizard.

Create Custom Request

Certificate Enrollment

Select the Active Directory Enrollment Policy and click Next. If do not choose enrollment policy you may not get any templates from Windows Enterprise Certificate Authority.

Select Active Directory Enrollment Policy

In the next screen choose a template for the certificate. We choose Web Server as template and the request option should be PKCS#10.

Select a Certificate Template

Click Next to go to the Active Directory Enrollment Policy and customize the certificate request. Click the arrow, under Details and then click Properties. We will configure our request under property windows.

Change Certificate Information using Properties

This window open up in Subject tab and we enter all the information about our certificate here. We add two information.
  1. Subject name or Common name - This is the main name or URL of the certificate and it is also called common name.
  2. Subject Alternative names - These are other DNS names in the certificate. We can have multiple DNS entries.
To set the common name, go to Subject name > Type: select Common name and type the value of common name.
Under Alternative name > Type:select DNS and type value of alternative names. In this example we have added a few URLs for sip domain webtecknology.com.

Subject tab

The next tab is General tab. We will enter Friendly name and Description for the certificate.

General Tab

Go to the next tab, Extensions. There is key usage and extended key usage. This defines how the certificate can be used.

Extension Tab

The Next tab is Private key tab. There are four options as follows 

  • Cryptography Service Provider
  • Key options 
  • Key Type
  • Key Permissions
Private Key tab

Select Key options, select the options

  1. Make private key exportable - This option will allow exporting the certificate to other machines.
  2. Strong private key protection - This is to protect the private key associated the certificate.
When you click Apply, the windows to set the security for private key will open up which you can set to High or Medium.

Security level

Choose High or Medium

Choose the security level as high or medium and click Next.

Click Finish

Click Finish to complete the Wizard.

Once completed then we will save our offline request to a file. We save our file to LyncCert.REQ. File format is Base64.

Save the Offline request

File Location

Open the location of the LyncCert.REQ file and then open the file and copy the content of the file.

Certificate Request information

For example, Comodo provides free certificate for 90 days. You can submit the request to get a certificate. 

Comodo Certificate Wizard

Open the Certificate Service web page, log on to https://ad.wt.com/certsrv. If you want submit the request to a commercial public certificate authority.

Active Directory Certificate Service Web Portal

Click Request a Certificate and then click Advanced Certificate request.

Click Advanced Certificate Request

Paste the content of LyncCert.REQ in to the saved request form. Select the certificate template which is Web Server. Submit the request to certificate authority.

Submit the request

Download the issued Certificates

The certificate authority will issue the certificate successfully. Download the certificate and verify the entries of the subject name and subject alternative names.


Custom certificate request is very helpful when there is no option to create a certificate request the way we want it. There are lots of ways to generate request so this is another way to create request.

Microsoft recommends creating certificate from same server where you want to deploy the certificate for the sake of private key.
We have to be careful about two thing, first the URL entry must be correct and we need corresponding DNS entries. Second, the Windows Enterprise Certificate Authority issue certificate over HTTPS . So configure SSL for web server role on your certificate authority server.

No comments:

Post a Comment