Certificate Infrastructure Requirements

Topic Last Modified: 2011-11-03

Microsoft Lync Server 2010 communications software requires a public key infrastructure (PKI) to support TLS and mutual TLS (MTLS) connections.

Lync Server 2010 uses certificates for the following purposes:

• TLS connections between client and server

• MTLS connections between servers

• Federation using automatic DNS discovery of partners

• Remote user access for instant messaging (IM)

• External user access to audio/video (A/V) sessions, application sharing, and conferencing

• Mobile requests using automatic discovery of Web Services

For Lync Server 2010, the following common requirements apply:

• All server certificates must support server authorization (Server EKU).

• All server certificates must contain a CRL Distribution Point (CDP).

• Auto-enrollment is supported for internal servers running Lync Server.

• Auto-enrollment is not supported for Lync Server Edge Servers.

• When you submit a web-based certificate request to a Windows Server 2003 CA, you must submit it from a computer running either Windows Server 2003 with SP2 or Windows XP.

  Note that although KB922706 provides support for resolving issues with enrolling web certificates against a Windows Server 2003 Certificate Services web enrollment, it does not make it possible to use Windows Server 2008, Windows Vista, or Windows 7 to request a certificate from a Windows Server 2003 CA.

• Key lengths of 1024, 2048, and 4096 are supported.

• The default hash algorithm is RSA. The ECDH_P256, ECDH_P384, and ECDH_P521 hash algorithms are also supported.