Topic Last Modified: 2011-03-28

Microsoft Lync Server 2010 relies on certificates for server authentication and to establish a chain of trust between clients and servers and among the different server roles. The Windows Server operating system provides the infrastructure for establishing and validating this chain of trust.

Certificates are digital IDs. They identify a server by name and specify its properties. To ensure that the information on a certificate is valid, the certificate must be issued by a certification authority (CA) that is trusted by clients or other servers that connect to the server. If the server connects only with other clients and servers on a private network, the CA can be an enterprise CA. If the server interacts with entities outside the private network, a public CA might be required.

Even if the information on the certificate is valid, there must be some way to verify that the server presenting the certificate is actually the one represented by the certificate. This is where the Windows public key infrastructure (PKI) comes in.

Each certificate is linked to a public key. The server named on the certificate holds a corresponding private key that only it knows. A connecting client or server uses the public key to encrypt a random piece of information and sends it to the server. If the server decrypts the information and returns it as plain text, the connecting entity can be sure that the server holds the private key to the certificate and is therefore the server named on the certificate.

Root CA Certificate for Lync Phone Edition

Communication between Microsoft Lync 2010 Phone Edition and Lync Server 2010 is by default encrypted using Transport Layer Security (TLS) and secure real-time transport protocol (SRTP). For this reason, the device running Lync 2010 Phone Edition needs to trust certificates presented by Lync Server. If computers running Lync Server use public certificates, they will most likely be automatically trusted by the device because the device contains the same list of trusted CAs as Windows CE. However, because most Lync Server deployments use internal certificates for the internal Lync Server server roles, there is a need to install the root CA certificate from the internal CA to the device. It is not possible to manually install the root CA certificate on the device, so it needs to come from the network. Lync Phone Edition is able to download the certificate by using two methods.

First, the device searches for Active Directory Domain Services (AD DS) objects of the category certificationAuthority. If the search returns any objects, the device uses the attribute caCertificate. That attribute is assumed to hold the certificate, and the device installs the certificate.

The root CA certificate must be published in the caCertificate for Lync Phone Edition. To have the root CA certificate add to the caCertificate attribute, use the following command:

Copy Code
certutil -f -dspublish <Root CA certificate in .cer file> RootCA

If the search for Active Directory objects of the category certificationAuthority does not return any objects or if the returned objects have empty caCertificate attributes, the device searches for Active Directory objects of the category pKIEnrollmentService in the configuration naming context. Such objects exist if Certificate AutoEnrollment has been enabled in Active Directory. If the search returns any objects, the device uses the attribute dNSHostName that was returned to reference the CA and then uses the web interface of Windows Certificate Services to retrieve the root CA certificate using the following HTTP get- command:

Copy Code
http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64

If neither of these methods succeeds, the device presents the error message "Cannot validate server certificate," and the user cannot use it.

Considerations for Issuing Certificates to Lync Phone Edition

The following is a list of considerations for issuing certificates to Lync Phone Edition:

  • By default, Lync Phone Edition uses TLS and SRTP, which require that:

    -Trust certificates are presented by Lync Server and Microsoft Exchange Server.

    -The root CA chain certificate resides on the device.

  • You cannot manually install certificates on the device.

  • Set options to do the following:

    -Use public certificates.

    -Preload the public certificates onto the device.

    -Use organization certificates.

    -Receive the root CA chain from the network.

Finding the organization Root CA Chain

Lync Phone Edition can find the certificate by using either the PKI auto-enrollment object in AD DS or a well-known distinguished name (DN). Here are the details:

  • To enable PKI auto-enrollment by using the organization CA, the device makes a Lightweight Directory Access Protocol (LDAP) request to find the pKIEnrollmentService/CA server address and eventually downloads the certificate by using HTTP to Windows CA /certsrv site by using user’s credentials.

  • To use the certutil -f -dspublish “.cer file location" root CA to upload certificates to the configuration NC, use the following DN:

    Cn=Certificate Authorities, cn=Public Key Services, CN=Services, cn=Configuration, dc=<AD domain>

Note:
The LDAP request is BaseDN: CN=Configuration, dc= <Domain> Filter: (objectCategory=pKIEnrollmentService), and the searched for attribute is dNSHostname. Be aware that the device downloads the certificate using HTTP get- command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

Trusted Authorities Cache

The following table describes the public certificates that Lync Phone Edition trusted.

Public Trusted Certificates

Vendor Certificate Name Expiry Date Key length

Comodo

AAA Certificate Services

12/31/2020

2048

Comodo

AddTrust External CA Root

5/30/2020

2048

Cybetrust

Baltimore CyberTrust Root

5/12/2025

2048

Cybetrust

GlobalSign Root CA

1/28/2014

2048

Cybetrust

GTE CyberTrust Global Root

8/13/2018

1024

VeriSign

Class 2 Public Primary Certification Authority

8/1/2028

1024

VeriSign

Thawte Premium Server CA

12/31/2020

1024

VeriSign

Thawte Server CA

12/31/2020

1024

VeriSign

Comodo

1/7/2010

1000

VeriSign

Class 3 Public Primary Certification Authority

8/1/2028

1024

Entrust

Entrust.net Certification Authority (2048)

12/24/2019

2048

Entrust

Entrust.net Secure Server Certification Authority

5/25/2019

1024

Equifax

Equifax Secure Certificate Authority

8/22/2018

1024

GeoTrust

GeoTrust Global CA

5/20/2022

2048

Go Daddy

Go Daddy Class 2 Certification Authority

6/29/2034

2048

Go Daddy

http://www.valicert.com/

6/25/2019

1024

Go Daddy

Starfield Class 2 Certification Authority

6/29/2034

2048