Topic Last Modified: 2012-10-22

Certificate requirements for a Director with DNS load balancing and a hardware load balancer will use a default certificate that has a subject name and subject alternative names for services that the Director can receive. A certificate is requested for each Director in the pool. It is important to remember that the hardware load balancer is load balancing only the traffic from the reverse proxy. Additionally, there is an OAuth Token certificate for server to server authentication purposes that is installed on each server.

Certificates for Director

Component Subject name (SN) Subject alternative names (SAN) Comments

Default

dirpool01.contoso.net

dirpool01.contoso.net

dir01.contoso.net

dialin.contoso.com

meet.contoso.com

lyncdiscoverinternal.contoso.com

lyncdiscover.contoso.com

(Optionally) *.contoso.com

Director certificates can be requested from either an internally managed certification authority (CA) or from a public CA.

The Director responds to requests from the reverse proxy in the perimeter or from the Edge Server. Internal clients will not use the Director.

Or, a wildcard entry for the simple URLs

OAuthTokenIssuer

dir01.contoso.net

No Entry

Important:
Note that the minimum key length is 1024, but you may receive a warning that the minimum recommended key length is 2048 bits.

The OAuthTokenIssuer certificate is a single-purpose certificate for the purpose of authenticating servers in a large-scale environment, and can be requested from an internal CA or from a public CA. The certificate is required.