Export (0) Print
Expand All

Staging AV and OAuth Certificates Using -Roll in Set-CsCertificate

Lync Server 2013
 

Topic Last Modified: 2012-11-13

Audio/Video (A/V) communications is a key component of Microsoft Lync Server 2013. Features such as application sharing and audio and video conferencing rely on the certificates assigned to the A/V Edge service, specifically the A/V Authentication service.

importantImportant:
  1. This new feature is designed to work for the A/V Edge service and the OAuthTokenIssuer certificate. Other certificate types can be provisioned along with the A/V Edge service and OAuth certificate type, but will not benefit from the coexistence behavior that the A/V Edge service certificate will.
  2. The Lync Server Management Shell PowerShell cmdlets used to manage Microsoft Lync Server 2013 certificates refers to the A/V Edge service certificate as the AudioVideoAuthentication certificate type and the OAuthServer certificate as type OAuthTokenIssuer. For the rest of this topic and to uniquely identify the certificates, they will be referred to by the same identifier type, AudioVideoAuthentication and OAuthTokenIssuer.

The A/V Authentication service is responsible for issuing tokens that are used by clients and other A/V consumers. The tokens are generated from attributes on the certificate, and when the certificate expires, loss of connection and requirement to rejoin with a new token generated by the new certificate will result. A new feature in Lync Server 2013 will alleviate this problem – the ability to stage a new certificate in advance of the old one expiring and allowing both certificates to continue to function for a period of time. This feature uses updated functionality in the Set-CsCertificate Lync Server Management Shell cmdlet. The new parameter –Roll, with the existing parameter –EffectiveDate, will place the new AudioVideoAuthentication certificate in the certificate store. The older AudioVideoAuthentication certificate will still remain for issued tokens to be validated against. Beginning with putting the new AudioVideoAuthentication certificate in place, the following series of events will occur:

tipTip:
Using the Lync Server Management Shell cmdlets for managing certificates, you can request separate and distinct certificates for each purpose on the Edge Server. Using the Certificate Wizard in the Lync Server Deployment Wizard assists you in creating certificates, but is typically of the default type which couples all certificate uses for the Edge Server onto a single certificate. The recommended practice if you are going to use the rolling certificate feature is to decouple the AudioVideoAuthentication certificate from the other certificate purposes. You can provision and stage a certificate of the Default type, but only the AudioVideoAuthentication portion of the combined certificate will benefit from the staging. A user involved in (for example) an instant messaging conversation when the certificate expires will need to log out and log back in to make use of the new certificate associated with the Access Edge service. Similar behavior will occur for a user involved in a Web conference using the Web Conferencing Edge service. The OAuthTokenIssuer certificate is a specific type that is shared across all servers. You create and manage the certificate in one place and the certificate is stored in the Central Management store for all other servers.

Additional detail is needed to fully understand your options and requirements when using the Set-CsCertificate cmdlet and using it to stage certificates prior to the current certificate expiring. The –Roll parameter is important, but essentially single purpose. If you define it as a parameter, you are telling Set-CsCertificate that you will be providing information about the certificate that will be affected defined by –Type (for example AudioVideoAuthentication and OAuthTokenIssuer), when the certificate will become effective defined by –EffectiveDate.

-Roll: The –Roll parameter is required and has dependencies that must be supplied along with it. Required parameters to fully define which certificates will be affected and how they will be applied:

-EffectiveDate: The parameter –EffectiveDate defines when the new certificate will become co-active with the current certificate. The –EffectiveDate can be close to the expiry time of the current certificate, or it can be a longer period of time. A recommended minimum –EffectiveDate for the AudioVideoAuthentication certificate would be 8 hours, which is the default token lifetime for AV Edge service tokens issued using the AudioVideoAuthentication certificate.

When staging OAuthTokenIssuer certificates, there are different requirements for the lead time before the certificate can become effective. The minimum time that the OAuthTokenIssuer certificate should have for its lead time is 24 hours before the expiration time of the current certificate. The extended lead time for the coexistence is because of other server roles that are dependent on the OAuthTokenIssuer certificate (Exchange Server, for example) which has a longer retention time for certificate created authentication and encryption key materials.

-Thumbprint: The thumbprint is an attribute on the certificate that is unique to that certificate. The –Thumbprint parameter is used to identify the certificate that will be affected by the actions of the Set-CsCertificate cmdlet.

-Type: The –Type parameter can accept a single certificate usage type or a comma separated list of certificate usage types. The certificate types are those that identify to the cmdlet and to the server what the purpose of the certificate is. For example, type AudioVideoAuthentication is for use by the A/V Edge service and the AV Authentication service. If you decide to stage and provision certificates of a different type at the same time, you must consider the longest required minimum effective lead time for the certificates. For example, you need to stage certificates of type AudioVideoAuthentication and OAuthTokenIssuer. Your minimum –EffectiveDate must be the greater of the two certificates, in this case the OAuthTokenIssuer, which has a minimum lead time of 24 hours. If you do not want to stage the AudioVideoAuthentication certificate with a lead time of 24 hours, stage it separately with an EffectiveDate that is more to your requirements.

  1. Log on to the local computer as a member of the Administrators group.

  2. Request a renewal or new AudioVideoAuthentication certificate with exportable private key for the existing certificate on the A/V Edge service.

  3. Import the new AudioVideoAuthentication certificate to the Edge Server and all other Edge Server in your pool (if you have a pool deployed).

  4. Configure the imported certificate with the Set-CsCertificate cmdlet and use the –Roll parameter with the –EffectiveDate parameter. The effective date should be defined as the current certificate expire time (14:00:00, or 2:00:00 PM) minus token lifetime (by default eight hours). This gives us a time that the certificate must be set to active, and is the –EffectiveDate <string>: “7/22/2012 6:00:00 AM”.

    importantImportant:
    For an Edge pool, you must have all AudioVideoAuthentication certificates deployed and provisioned by the date and time defined by the –EffectiveDate parameter of the first certificate deployed to avoid possible A/V communications disruption due to the older certificate expiring before all client and consumer tokens have been renewed using the new certificate.

    The Set-CsCertificate command with the –Roll and –EffectiveTime parameter:

    Set-CsCertificate -Type AudioVideoAuthentication -Thumbprint <thumb print of new certificate> -Roll -EffectiveDate <date and time for certificate to become active>
    

    An example Set-CsCertificate command:

    Set-CsCertificate -Type AudioVideoAuthentication -Thumbprint "B142918E463981A76503828BB1278391B716280987B" -Roll -EffectiveDate "7/22/2012 6:00:00 AM"
    
    importantImportant:
    The EffectiveDate must be formatted to match your server’s region and language settings. The example uses the US English Region and Language settings

To further understand the process that Set-CsCertificate, -Roll, and –EffectiveDate use to stage a new certificate for issuing new AudioVideoAuthentication tokens while still using an existing certificate to validate AudioVideoAuthentication that are in use by consumers, a visual timeline is an effective means of understanding the process.

In the following example, the administrator determines that the A/V Edge service certificate is due to expire at 2:00:00 PM on 07/22/2012. He requests and receives a new certificate and imports it to each Edge Server in his pool. At 2 AM on 07/22/2012, he begins running Get-CsCertificate with –Roll, -Thumbprint equal to the thumbprint string of the new certificate, and –EffectiveTime set to 07/22/2012 6:00:00 AM. He runs this command on each Edge Server.

21d51a76-0d03-4ed7-a37e-a7c14940265f

When the effective time is reached (7/22/2012 6:00:00 AM), all new tokens are issued by the new certificate. When validating tokens, tokens will first be validated against the new certificate. If the validation fails, the old certificate is tried. The process of trying the new and falling back to the old certificate will continue until the expiry time of the old certificate. Once the old certificate has expired (7/22/2012 2:00:00 PM), tokens will only be validated by the new certificate. The old certificate can be safely removed using the Remove-CsCertificate cmdlet with the –Previous parameter.

Remove-CsCertificate -Type AudioVideoAuthentication -Previous

  1. Log on to the local computer as a member of the Administrators group.

  2. Request a renewal or new OAuthTokenIssuer certificate with exportable private key for the existing certificate on the A/V Edge service.

  3. Import the new OAuthTokenIssuer certificate to a Front End Server in your pool (if you have a pool deployed). The OAuthTokenIssuer certificate is replicated globally and only needs to be updated and renewed at any server in your deployment. The Front End Server is used as an example.

  4. Configure the imported certificate with the Set-CsCertificate cmdlet and use the –Roll parameter with the –EffectiveDate parameter. The effective date should be defined as the current certificate expire time (14:00:00, or 2:00:00 PM) minus a minimum of 24 hours.

    The Set-CsCertificate command with the –Roll and –EffectiveTime parameter:

    Set-CsCertificate -Type OAuthTokenIssuer -Thumbprint <thumb print of new certificate> -Roll -EffectiveDate <date and time for certificate to become active>
    
    

    An example Set-CsCertificate command:

    Set-CsCertificate -Type OAuthTokenIssuer -Thumbprint "B142918E463981A76503828BB1278391B716280987B" -Roll -EffectiveDate "7/21/2012 1:00:00 PM"
    
    
    importantImportant:
    The EffectiveDate must be formatted to match your server’s region and language settings. The example uses the US English Region and Language settings

When the effective time is reached (7/21/2012 1:00:00 AM), all new tokens are issued by the new certificate. When validating tokens, tokens will first be validated against the new certificate. If the validation fails, the old certificate is tried. The process of trying the new and falling back to the old certificate will continue until the expiry time of the old certificate. Once the old certificate has expired (7/22/2012 2:00:00 PM), tokens will only be validated by the new certificate. The old certificate can be safely removed using the Remove-CsCertificate cmdlet with the –Previous parameter.

Remove-CsCertificate -Type OAuthTokenIssuer -Previous

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft