Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Certificate infrastructure requirements for Lync Server 2013


Topic Last Modified: 2013-03-22

Lync Server 2013 requires a public key infrastructure (PKI) to support TLS and mutual TLS (MTLS) connections.

Lync Server uses certificates for the following purposes:

  • TLS connections between client and server

  • MTLS connections between servers

  • Federation using automatic DNS discovery of partners

  • Remote user access for instant messaging (IM)

  • External user access to audio/video (A/V) sessions, application sharing, and conferencing

  • Mobile requests using automatic discovery of Web Services

For Lync Server, the following common requirements apply:

  • All server certificates must support server authorization (Server EKU).

  • All server certificates must contain a CRL Distribution Point (CDP).

  • All certificates must be signed using a signing algorithm supported by the operating system. Lync Server 2013 supports the SHA-1 and SHA-2 suite of digest sizes (224, 256, 384 and 512-bit), and meets or exceeds the operating system requirements. For operating system support, see http://go.microsoft.com/fwlink/?LinkId=287002.

  • Auto-enrollment is supported for internal servers running Lync Server.

  • Auto-enrollment is not supported for Lync Server Edge Servers.

  • When you submit a web-based certificate request to a Windows Server 2003 CA, you must submit it from a computer running either Windows Server 2003 with SP2 or Windows XP.

    Note that although KB922706 provides support for resolving issues with enrolling web certificates against a Windows Server 2003 Certificate Services web enrollment, it does not make it possible to use Windows Server 2008, Windows Vista, or Windows 7 to request a certificate from a Windows Server 2003 CA.

  • Encryption key lengths of 1024, 2048, and 4096 are supported. Key lengths of 2048 and greater are recommended.

  • The default digest, or hash signing, algorithm is RSA. The ECDH_P256, ECDH_P384, and ECDH_P521 algorithms are also supported. 

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft