Export (0) Print
Expand All

Certificates for Lync Phone Edition

Lync Server 2010
 

Topic Last Modified: 2014-01-07

Lync Server relies on certificates for server authentication and to establish a chain of trust between clients and servers and among the different server roles. The Windows Server operating system provides the infrastructure for establishing and validating this chain of trust.

Certificates are digital IDs. They identify a server by name and specify its properties. To ensure that the information on a certificate is valid, the certificate must be issued by a certification authority (CA) that is trusted by clients or other servers that connect to the server. If the server connects only with other clients and servers on a private network, the CA can be an enterprise CA. If the server interacts with entities outside the private network, a public CA might be required.

Even if the information on the certificate is valid, there must be some way to verify that the server presenting the certificate is actually the one represented by the certificate. This is where the Windows public key infrastructure (PKI) comes in.

Each certificate is linked to a public key. The server named on the certificate holds a corresponding private key that only it knows. A connecting client or server uses the public key to encrypt a random piece of information and sends it to the server. If the server decrypts the information and returns it as plain text, the connecting entity can be sure that the server holds the private key to the certificate and is therefore the server named on the certificate.

Communication between Lync Phone Edition and Lync Server is by default encrypted using Transport Layer Security (TLS) and secure real-time transport protocol (SRTP). For this reason, the device running Lync Phone Edition needs to trust certificates presented by Lync Server. If computers running Lync Server use public certificates, they will most likely be automatically trusted by the device because the device contains the same list of trusted CAs as Windows CE. However, because most Lync Server deployments use internal certificates for the internal Lync Server server roles, there is a need to install the root CA certificate from the internal CA to the device. It is not possible to manually install the root CA certificate on the device, so it needs to come from the network. Lync Phone Edition is able to download the certificate by using two methods.

First, the device searches for Active Directory Domain Services (AD DS) objects of the category certificationAuthority. If the search returns any objects, the device uses the attribute caCertificate. That attribute is assumed to hold the certificate, and the device installs the certificate.

The root CA certificate must be published in the caCertificate for Lync Phone Edition. To have the root CA certificate add to the caCertificate attribute, use the following command:

certutil -f -dspublish <Root CA certificate in .cer file> RootCA

If the search for Active Directory objects of the category certificationAuthority does not return any objects or if the returned objects have empty caCertificate attributes, the device searches for Active Directory objects of the category pKIEnrollmentService in the configuration naming context. Such objects exist if Certificate AutoEnrollment has been enabled in Active Directory. If the search returns any objects, the device uses the attribute dNSHostName that was returned to reference the CA and then uses the web interface of Windows Certificate Services to retrieve the root CA certificate using the following HTTP get- command:

http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64

If neither of these methods succeeds, the device presents the error message "Cannot validate server certificate," and the user cannot use it.

The following is a list of considerations for issuing certificates to Lync Phone Edition:

  • By default, Lync Phone Edition uses TLS and SRTP, which require that:

    -Trust certificates are presented by Lync Server and Microsoft Exchange Server.

    -The root CA chain certificate resides on the device.

  • You cannot manually install certificates on the device.

  • Set options to do the following:

    -Use public certificates.

    -Preload the public certificates onto the device.

    -Use organization certificates.

    -Receive the root CA chain from the network.

Lync Phone Edition can find the certificate by using either the PKI auto-enrollment object in AD DS or a well-known distinguished name (DN). Here are the details:

  • To enable PKI auto-enrollment by using the organization CA, the device makes a Lightweight Directory Access Protocol (LDAP) request to find the pKIEnrollmentService/CA server address and eventually downloads the certificate by using HTTP to Windows CA /certsrv site by using user’s credentials.

  • To use the certutil -f -dspublish “.cer file location" root CA to upload certificates to the configuration NC, use the following DN:

    Cn=Certificate Authorities, cn=Public Key Services, CN=Services, cn=Configuration, dc=<AD domain>

noteNote:
The LDAP request is BaseDN: CN=Configuration, dc= <Domain> Filter: (objectCategory=pKIEnrollmentService), and the searched for attribute is dNSHostname. Be aware that the device downloads the certificate using HTTP get- command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

The following table describes the public certificates that Lync Phone Edition trusted.

Public Trusted Certificates

Vendor Certificate Name Expiry Date Key length

Comodo

AAA Certificate Services

12/31/2028

2048

Comodo

AddTrust External CA Root

5/30/2020

2048

CyberTrust

Baltimore CyberTrust Root

5/12/2025

2048

CyberTrust

GTE CyberTrust Global Root

8/13/2018

1024

VeriSign

Class 2 Public Primary Certification Authority

8/1/2028

1024

VeriSign

Thawte Premium Server CA

12/31/2020

1024

VeriSign

Thawte Server CA

12/31/2020

1024

VeriSign

Class 3 Public Primary Certification Authority

8/1/2028

1024

Entrust

Entrust.net Certification Authority (2048)

12/24/2019

2048

Entrust

Entrust.net Secure Server Certification Authority

5/25/2019

1024

Entrust

Entrust Root Certification Authority

11/27/2026

2048

Entrust

Entrust.net Certification Authority (2048)

7/24/2029

2048

Equifax

Equifax Secure Certificate Authority

8/22/2018

1024

GeoTrust

GeoTrust Global CA

5/20/2022

2048

Go Daddy

Go Daddy Class 2 Certification Authority

6/29/2034

2048

Go Daddy

http://www.valicert.com/

6/25/2019

1024

Go Daddy

Starfield Class 2 Certification Authority

6/29/2034

2048

DigiCert Inc.

DigiCert Assured ID Root CA

11/9/2031

2048

DigiCert Inc.

DigiCert Global Root CA

11/9/2031

2048

DigiCert Inc.

DigiCert High Assurance EV Root CA

11/9/2031

2048

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft