Topic Last Modified: 2010-12-13
After setting up certificates for the internal interface, you are ready to set up the certificates for the external interface.
Each Edge Server requires a public certificate on the interface between the perimeter network and the Internet, and the certificate’s subject alternative name must contain the external names of the Access Edge service and Web Conferencing Edge service fully qualified domain names (FQDNs).
For details about this and other certificate requirements, see Certificate Requirements for External User Access.
For a list of public certification authorities (CAs) that provide certificates that comply with specific requirements for unified communications certificates and have partnered with Microsoft to ensure they work with the Lync Server Certificate Wizard, see Microsoft Knowledge Base article 929395, "Unified Communications Certificate Partners for Exchange Server and for Communications Server," at http://go.microsoft.com/fwlink/?LinkId=202834.
Configuring Certificates on the External Interfaces
To set up a certificate on the external edge interface at a site, use the procedures in this section to do the following:
- Create the certificate request for the external interface of
the Edge Server.
- Submit the request to your public CA.
- Import the certificate for the external interface of each Edge
- Assign the certificate for the external interface of each Edge
- If your deployment includes multiple Edge Servers, export the
certificate along with its private key, and then copy it to the
other Edge Servers. Then, for each Edge Server, import it and
assign it as previously described. Repeat this procedure for each
You can request public certificates directly from a public certification authority (CA) (such as from the website of a public CA). The procedures in this section use the Certificate Wizard for most certificate tasks. If you chose to request a certificate directly from a public CA, then you will need to modify each procedure as appropriate to request, transport, and import the certificate and also to import the certificate chain.
When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (that is, specific user and group names) are allowed to request, issue, manage, or read certificates.
If you decide to use the Certificates Microsoft Management Console (MMC) to import the certificate chain and certificate, you must import them to the certificate store for the computer. If you import them to the user or service certificate store, the certificate will not be available for assignment in the Lync Server Certificate Wizard.
To create the certificate request for the external interface of the Edge Server
On the Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.
Note: If your organization wants to support public instant messaging (IM) connectivity with AOL, you cannot use the Lync Server Deployment Wizard to request the certificate. Instead, use the “To create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL” procedure later in this topic.
If you have multiple Edge Servers in one location in a pool, you can run the Lync Server Certificate Wizard on any one of the Edge Servers.
On the Available Certificate Tasks page, click Create a new certificate request.
On the Certificate Request page, click External Edge Certificate.
On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box.
On the Certificate Request File page, type the full path and file name of the file to which the request is to be saved (for example, c:\cert_exernal_edge.cer).
On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, select the Use alternative certificate template for the selected Certificate Authority check box.
On the Name and Security Settings page, do the following:
- In Friendly name, type a display name for the
- In Bit length, specify the bit length (typically, the
default of 2048).
- Verify that the Mark certificate private key as
exportable check box is selected.
- In Friendly name, type a display name for the certificate.
On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department).
On the Geographical Information page, specify the location information.
On the Subject Name/Subject Alternate Names page, the information to be automatically populated by the wizard is displayed. If additional subject alternative names are needed, you specify them in the next two steps.
On the SIP Domain Setting on Subject Alternate Names (SANs) page, select the domain check box to add a sip.<sipdomain> entry to the subject alternative names list.
On the Configure Additional Subject Alternate Names page, specify any additional subject alternative names that are required.
On the Request Summary page, review the certificate information to be used to generate the request.
After the commands finish running, do the following:
- To view the log for the certificate request, click View
- To complete the certificate request, click Next.
- To view the log for the certificate request, click View Log.
On the Certificate Request File page, do the following:
- To view the generated certificate signing request (CSR) file,
- To close the wizard, click Finish.
- To view the generated certificate signing request (CSR) file, click View.
Copy the output file to a location where you can submit it to the public CA.
To create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL
When the required template is available to the CA, use the following Windows PowerShell cmdlet from at the Edge Server to request the certificate:
Request-CsCertificate -New -Type AccessEdgeExternal -Output C:\ <certfilename.txt or certfilename.csr> -ClientEku $true -Template <template name>
The default certificate name of the template provided in Lync Server 2010 is Web Server. Only specify the <template name> if you need to use a template that is different from the default template.
Note: If your organization wants to support public IM connectivity with AOL, you must use Windows PowerShell instead of the Certificate Wizard to request the certificate to be assigned to the external edge for the Access Edge service. This is because the Lync Server 2010 Web Server template that the Certificate Wizard uses to request a certificate does not support client EKU configuration. Before using Windows PowerShell to create the certificate, the CA administrator must create and deploy a new template that supports client EKU.
To submit a request to a public certification authority
Open the output file.
Copy and paste the contents of the Certificate Signing Request (CSR).
If prompted, specify the following:
- Microsoft as the server platform.
- IIS as the version.
- Web Server as the usage type.
- PKCS7 as the response format.
- Microsoft as the server platform.
When the public CA has verified your information, you will receive an email message containing text required for your certificate.
Copy the text from the email message and save the contents in a text file (.txt) on your local computer.
To import the certificate for the external interface of the Edge Server
Log on as a member of the Administrators group to the same Edge Server on which you created the certificate request.
In the Deployment Wizard, on the Deploy Edge Server page, next to Step 3: Request, Install, or Assign Certificates, click Run again.
On the Available Certificate Tasks page, click Import a certificate from a .p7b, pfx or .cer file.
On the Import Certificate page, type the full path and file name of the certificate that you requested for the external interface of the Edge Server (or, click Browse to locate and select the file).
If you are configuring an Edge Server pool, export the certificate with its private key, copy it to the other Edge Servers, and import it into the computer store on each Edge Server.
To assign the certificate for the external interface of the Edge Server
On each Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.
On the Available Certificate Tasks page, click Assign an existing certificate.
On the Certificate Assignment page, click External Edge Certificate and select the Advanced Certificate Usages check box.
On the Advanced Certificate Usages page, select all check boxes to assign the certificate for all usages.
On the Certificate Store page, select the public certificate that you requested and imported for the external interface of the Edge Server.
Note: If the certificate you requested and imported is not in the list, one of the trouble shooting methods is to verify that subject name and subject alternative names of the certificate meet all requirements for the certificate and, if you manually imported the certificate and certificate chain instead of using the preceding procedures, that the certificate is in the correct certificate store (the computer certificate store, not the user or service certificate store).
On the Certificate Assignment Summary page, review your settings, and then click Next to assign the certificates.
On the wizard completion page, click Finish.
After using this procedure to assign the edge certificate, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the certificate is listed.
If your deployment includes multiple Edge Servers, repeat this procedure for each Edge Server.