Topic Last Modified: 2011-03-28
Microsoft Lync Server 2010 relies on certificates for server authentication and to establish a chain of trust between clients and servers and among the different server roles. The Windows Server operating system provides the infrastructure for establishing and validating this chain of trust.
Certificates are digital IDs. They identify a server by name and specify its properties. To ensure that the information on a certificate is valid, the certificate must be issued by a certification authority (CA) that is trusted by clients or other servers that connect to the server. If the server connects only with other clients and servers on a private network, the CA can be an enterprise CA. If the server interacts with entities outside the private network, a public CA might be required.
Even if the information on the certificate is valid, there must be some way to verify that the server presenting the certificate is actually the one represented by the certificate. This is where the Windows public key infrastructure (PKI) comes in.
Each certificate is linked to a public key. The server named on the certificate holds a corresponding private key that only it knows. A connecting client or server uses the public key to encrypt a random piece of information and sends it to the server. If the server decrypts the information and returns it as plain text, the connecting entity can be sure that the server holds the private key to the certificate and is therefore the server named on the certificate.
Root CA Certificate for Lync Phone Edition
Communication between Microsoft Lync 2010 Phone Edition and Lync Server 2010 is by default encrypted using Transport Layer Security (TLS) and secure real-time transport protocol (SRTP). For this reason, the device running Lync 2010 Phone Edition needs to trust certificates presented by Lync Server. If computers running Lync Server use public certificates, they will most likely be automatically trusted by the device because the device contains the same list of trusted CAs as Windows CE. However, because most Lync Server deployments use internal certificates for the internal Lync Server server roles, there is a need to install the root CA certificate from the internal CA to the device. It is not possible to manually install the root CA certificate on the device, so it needs to come from the network. Lync Phone Edition is able to download the certificate by using two methods.
First, the device searches for Active Directory Domain Services (AD DS) objects of the category certificationAuthority. If the search returns any objects, the device uses the attribute caCertificate. That attribute is assumed to hold the certificate, and the device installs the certificate.
The root CA certificate must be published in the caCertificate for Lync Phone Edition. To have the root CA certificate add to the caCertificate attribute, use the following command:
Copy Code | |
---|---|
certutil -f -dspublish <Root CA certificate in .cer file> RootCA |
If the search for Active Directory objects of the category certificationAuthority does not return any objects or if the returned objects have empty caCertificate attributes, the device searches for Active Directory objects of the category pKIEnrollmentService in the configuration naming context. Such objects exist if Certificate AutoEnrollment has been enabled in Active Directory. If the search returns any objects, the device uses the attribute dNSHostName that was returned to reference the CA and then uses the web interface of Windows Certificate Services to retrieve the root CA certificate using the following HTTP get- command:
Copy Code | |
---|---|
http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64 |
If neither of these methods succeeds, the device presents the error message "Cannot validate server certificate," and the user cannot use it.
Considerations for Issuing Certificates to Lync Phone Edition
The following is a list of considerations for issuing certificates to Lync Phone Edition:
- By default, Lync Phone Edition uses TLS and SRTP, which require
that:
-Trust certificates are presented by Lync Server and Microsoft Exchange Server.
-The root CA chain certificate resides on the device.
- You cannot manually install certificates on the device.
- Set options to do the following:
-Use public certificates.
-Preload the public certificates onto the device.
-Use organization certificates.
-Receive the root CA chain from the network.
Finding the organization Root CA Chain
Lync Phone Edition can find the certificate by using either the PKI auto-enrollment object in AD DS or a well-known distinguished name (DN). Here are the details:
- To enable PKI auto-enrollment by using the organization CA, the
device makes a Lightweight Directory Access Protocol (LDAP) request
to find the pKIEnrollmentService/CA server address and eventually
downloads the certificate by using HTTP to Windows CA /certsrv site
by using user’s credentials.
- To use the certutil -f -dspublish “.cer file location" root CA
to upload certificates to the configuration NC, use the following
DN:
Cn=Certificate Authorities, cn=Public Key Services, CN=Services, cn=Configuration, dc=<AD domain>
Note: |
---|
The LDAP request is BaseDN: CN=Configuration, dc= <Domain> Filter: (objectCategory=pKIEnrollmentService), and the searched for attribute is dNSHostname. Be aware that the device downloads the certificate using HTTP get- command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64. |
Trusted Authorities Cache
The following table describes the public certificates that Lync Phone Edition trusted.
Public Trusted Certificates
Vendor | Certificate Name | Expiry Date | Key length |
---|---|---|---|
Comodo |
AAA Certificate Services |
12/31/2020 |
2048 |
Comodo |
AddTrust External CA Root |
5/30/2020 |
2048 |
Cybetrust |
Baltimore CyberTrust Root |
5/12/2025 |
2048 |
Cybetrust |
GlobalSign Root CA |
1/28/2014 |
2048 |
Cybetrust |
GTE CyberTrust Global Root |
8/13/2018 |
1024 |
VeriSign |
Class 2 Public Primary Certification Authority |
8/1/2028 |
1024 |
VeriSign |
Thawte Premium Server CA |
12/31/2020 |
1024 |
VeriSign |
Thawte Server CA |
12/31/2020 |
1024 |
VeriSign |
Comodo |
1/7/2010 |
1000 |
VeriSign |
Class 3 Public Primary Certification Authority |
8/1/2028 |
1024 |
Entrust |
Entrust.net Certification Authority (2048) |
12/24/2019 |
2048 |
Entrust |
Entrust.net Secure Server Certification Authority |
5/25/2019 |
1024 |
Equifax |
Equifax Secure Certificate Authority |
8/22/2018 |
1024 |
GeoTrust |
GeoTrust Global CA |
5/20/2022 |
2048 |
Go Daddy |
Go Daddy Class 2 Certification Authority |
6/29/2034 |
2048 |
Go Daddy |
http://www.valicert.com/ |
6/25/2019 |
1024 |
Go Daddy |
Starfield Class 2 Certification Authority |
6/29/2034 |
2048 |