• Article

Modifying Certificates for Mobility

 

Topic Last Modified: 2011-11-15

The certificates for your cumulative update for Lync Server 2010: November 2011 Director pool, Front End pool, and reverse proxy require additional subject alternative name entries to support secure connections with mobile clients. For details about certificate requirements for mobility, see Technical Requirements for Mobility.

Update the certificates after you install the new Microsoft Lync Server 2010 Mobility Service or after you run the Set-CsWebServer cmdlet to set ports for the Mobility Service.

The Set-CsCertificate cmdlet validates subject alternative names and returns a warning if a subject alternative name for the internal Microsoft Lync Server 2010 Autodiscover Service fully qualified domain name (FQDN) or external Autodiscover Service FQDN is missing. If the cmdlet finds a missing subject alternative name, you need to run the Request-CsCertificate cmdlet. To run this cmdlet locally, you must be a local administrator and have rights to the specified certification authority.

Important

One exception is when the external Domain Name System (DNS) record is an A (host) record. If the external DNS record is an A (host) record and you run the Set-CsCertificate cmdlet on a Director, the cmdlet does not return a warning about a missing subject alternative name for the external Autodiscover Service (lyncdiscover.<sipdomain>).

To update certificates with new subject alternative names

  1. Log on to the computer using an account that has local administrator rights and permissions.

  2. Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.

  3. Find out what certificates have been assigned to the server and for which type of use. You need this information in the next step to assign the updated certificate. At the command line, type:

    Get-CsCertificate

  4. Look in the output from the previous step to see whether a single certificate is assigned for multiple uses or whether a different certificate is assigned for each use. Look in the Use parameter to find out how a certificate is used. Compare the Thumbprint parameter for the displayed certificates to see if the same certificate has multiple uses.

  5. Update the certificate. At the command line, type:

    Set-CsCertificate -Type <type of certificate as displayed in the Use parameter> -Thumbprint <unique identifier>

    For example, if the Get-CsCertificate cmdlet displayed a certificate with Use of Default, another with a Use of WebServicesInternal, and another with a Use of WebServicesExternal, and they all had the same Thumbprint value, at the command line, type:

    Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <Certificate Thumbprint>

    Important:

    If a separate certificate is assigned for each use (the Thumbprint value is different for each certificate), it is important that you do not run the Set-CsCertificate cmdlet with multiple types. In this case, run the Set-CsCertificate cmdlet separately for each use. For example:

    Set-CsCertificate -Type Default -Thumbprint <Certificate Thumbprint>
Set-CsCertificate -Type WebServicesInternal -Thumbprint <Certificate Thumbprint>
Set-CsCertificate -Type WebServicesExternal -Thumbprint <Certificate Thumbprint>

  6. If an Autodiscover Service subject alternative name is missing, do the following:

    • For a missing internal Autodiscover subject alternative name, at the command line, type:

      Request-CsCertificate -New -Type WebServicesInternal -Ca dc\myca -AllSipDomain -verbose

      If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must use an appropriate prefix for the SIP domain FQDN. For example:

      Request-CsCertificate -New -Type WebServicesInternal -Ca dc\myca -DomainName "LyncdiscoverInternal.contoso.com, LyncdiscoverInternal.contoso.net" -verbose

    • For a missing external Autodiscover subject alternative name, at the command line, type:

      Request-CsCertificate -New -Type WebServicesExternal -Ca dc\myca -AllSipDomain -verbose

      If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must use an appropriate prefix for the SIP domain FQDN. For example:

      Request-CsCertificate -New -Type WebServicesExternal -Ca dc\myca -DomainName "Lyncdiscover.contoso.com, Lyncdiscover.contoso.net" -verbose