Topic Last Modified: 2012-10-18

The certificates for your Director pool, Front End pool, and reverse proxy require additional subject alternative name entries to support secure connections with mobile clients. For details about certificate requirements for mobility, see Technical Requirements for Mobility.

Note:
You can use the Get-CsCertificate cmdlet to view information about the currently assigned certificates. However, the default view truncates the properties of the certificate and does not display all values in the SubjectAlternativeNames property. You can use the Get-CsCertificate , Request-CsCertificate and the Set-CsCertificate cmdlets to view some information and to request and assign certificates. However, it’s not the best method to use if you are unsure of the properties of the subject alternative names (SAN) on the current certificate. To view the certificate and all property members, it is suggested to use the Certificates snap-in the Microsoft Management Console (MMC) or to use the Lync Server Deployment Wizard. In the Lync Server Deployment Wizard, you can use the Certificate Wizard to view the certificate properties. The procedures for viewing, requesting and assigning a certificate using the Lync Server Management Shell and the Microsoft Management Console (MMC) are detailed in the following procedures. To use the Lync Server Deployment Wizard, see details here if you have deployed the optional Director or Director pool: Configure Certificates for the Director. For the Front End Server or Front End pool, see the details here: Configure Certificates for Servers

The initial steps in this procedure are preparation steps, to orient you as to what role the current certificates play. By default, the certificates will not have a lyncdiscover.<sipdomain> or lyncdiscoverinternal.<internal domain name> entry unless you have previously installed Mobility Services or have prepared your certificates in advance. This procedure uses the example SIP domain name ‘contoso.com’ and the example internal domain name ‘contoso.net’.

The default certificate configuration for Lync Server 2013 and Lync Server 2010 is to use a single certificate (named ‘Default’) with the purposes Default (for all purposes except for the web services), WebServicesExternal and WebServicesInternal. An optional configuration is to use separate certificates for each purpose. Certificates can be managed by using the Lync Server Management Shell and Windows PowerShell cmdlets, or by using the Certificate Wizard in the Lync Server Deployment Wizard.

To update certificates with new subject alternative names using the Lync Server Management Shell

  1. Log on to the computer using an account that has local administrator rights and permissions.

  2. Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.

  3. Find out what certificates have been assigned to the server and for which type of use. You need this information in the next step to assign the updated certificate. At the command line, type:

    Copy Code
    Get-CsCertificate
    
  4. Look in the output from the previous step to see whether a single certificate is assigned for multiple uses or whether a different certificate is assigned for each use. Look in the Use parameter to find out how a certificate is used. Compare the Thumbprint parameter for the displayed certificates to see if the same certificate has multiple uses.

  5. Update the certificate. At the command line, type:

    Copy Code
    Set-CsCertificate -Type <type of certificate as displayed in the Use parameter> -Thumbprint <unique identifier>
    

    For example, if the Get-CsCertificate cmdlet displayed a certificate with Use of Default, another with a Use of WebServicesInternal, and another with a Use of WebServicesExternal, and they all had the same Thumbprint value, at the command line, type:

    Copy Code
    Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <Certificate Thumbprint>
    

    Important:

    If a separate certificate is assigned for each use (the Thumbprint value is different for each certificate), it is important that you do not run the Set-CsCertificate cmdlet with multiple types. In this case, run the Set-CsCertificate cmdlet separately for each use. For example:

    Copy Code
    Set-CsCertificate -Type Default -Thumbprint <Certificate Thumbprint>
    Set-CsCertificate -Type WebServicesInternal -Thumbprint <Certificate Thumbprint>
    Set-CsCertificate -Type WebServicesExternal -Thumbprint <Certificate Thumbprint>
    
  6. To view the certificate, click Start, click Run…. Type MMC to open the Microsoft Management Console.

  7. From the MMC menu, select File, select Add/Remove snap-in…, select Certificates. Click Add. When prompted, select Computer account, then click Next.

  8. If this is the computer where the certificate is located, select Local computer. If the certificate is located on another computer, select Another computer, type in the fully qualified domain name of the computer or click Browse In Enter the object name to select, type the name of the computer. Click Check Names. When the name of the computer is resolved, it will be underlined. Click OK, then click Finish. Click OK to commit the selection and close the Add or Remove Snap-ins dialog.

  9. To view the properties of the certificate, expand Certificates, expand Personal, and select Certificates. Select the certificate to view, right-click on the certificate and select Open.

  10. In the Certificate view, select Details. From here, you can select the certificate subject name by selecting Subject and the assigned subject name and associated properties are displayed.

  11. To view the assigned subject alternative names, select Subject Alternative Name. All assigned subject alternative names are displayed. The subject alternative names that are found in the property are of type DNS Name by default. You should see the following members (all of which should be fully qualified domain names as represented in DNS host (A or, if IPv6 AAAA) records:

    • Pool name for this pool, or the single server name if this is not a pool

    • Server name that the certificate is assigned to

    • Simple URL records, typically meet and dialin

    • Web services internal and Web services external names (for example, webpool01.contoso.net, webpool01.contoso.com), based on choices made in Topology Builder and over-ridden web services selections.

    • If already assigned, the lyncdiscover.<sipdomain> and lyncdiscoverinternal.<sipdomain> records.

    The last item is what you are most interested in – if there is a lyncdiscover and lyncdiscoverinternal SAN entry.

    Once you have this information, you can close the certificate view and the MMC.

  12. If an Autodiscover Service subject alternative name is missing, and you are using a single Default certificate for the Default, WebServicesInternal and WebServiceExternal types, do the following:

    • At the Lync Server Management Shell command line prompt, type:

      Copy Code
      Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -Ca dc\myca -AllSipDomain -verbose
      

      If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must define the FQDN for the lyncdiscoverinternal and lyncdiscover records. For example:

      Copy Code
      Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -Ca dc\myca -DomainName "LyncdiscoverInternal.contoso.com, LyncdiscoverInternal.contoso.net" -verbose
      
    • To assign the certificate, type the following:

      Copy Code
      Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <Certificate Thumbprint>
      

      Where “Thumbprint” is the thumbprint displayed for the newly issued certificate.

  13. For a missing internal Autodiscover subject alternative names when using separate certificates for Default, WebServicesInternal, and WebServicesExternal, do the following:

    • At the Lync Server Management Shell command line prompt, type:

      Copy Code
      Request-CsCertificate -New -Type WebServicesInternal -Ca dc\myca -AllSipDomain -verbose
      

      If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must use an appropriate prefix for the SIP domain FQDN. For example:

      Copy Code
      Request-CsCertificate -New -Type WebServicesInternal -Ca dc\myca -DomainName "LyncdiscoverInternal.contoso.com, LyncdiscoverInternal.contoso.net" -verbose
      
    • For a missing external Autodiscover subject alternative name, at the command line, type:

      Copy Code
      Request-CsCertificate -New -Type WebServicesExternal -Ca dc\myca -AllSipDomain -verbose
      

      If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must use an appropriate prefix for the SIP domain FQDN. For example:

      Copy Code
      Request-CsCertificate -New -Type WebServicesExternal -Ca dc\myca -DomainName "Lyncdiscover.contoso.com, Lyncdiscover.contoso.net" -verbose
      
    • To assign the individual certificate types, type the following:

      Copy Code
      Set-CsCertificate -Type Default -Thumbprint <Certificate Thumbprint>
      Set-CsCertificate -Type WebServicesInternal -Thumbprint <Certificate Thumbprint>
      Set-CsCertificate -Type WebServicesExternal -Thumbprint <Certificate Thumbprint>
      

      Where “Thumbprint” is the thumbprint displayed for the newly issued individual certificates.