Public certificate for lync/exchange

Similar Messages

• Looking for help to update the certificate for my Exchange Email Account...

  I'm trying to update the certificate for my Exchange Email Account...Dell had me delete the account, install the new certificate on my phone, and set up the email again...But it still won't work and acts like it can't find/use the new cert.  Any suggestions besides a hard resest of the phone?

  That's a great question, LSchmitz!
  Is the e-mail account on your cell phone? Which device? If its on your phone, an Exchange e-mail, may need to be provisioned/ set up by your employer/ IT department.
  VanessaS_VZW
  Follow us on Twitter @VZWSupport
  If my response answered your question please click the "Correct Answer" button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• Edge Public Certificate for Single Edge Pool + Reverse Proxy

  I have a public certificate that was ordered prematurely and the SN does not match the current set up of the access URL.  The company that the certificate was ordered from does not allow editing of the SN or what they call domain name without paying
  for an entirely new certificate.  I do, however, have ample SANs that I can play with.  I do not have a whole lot of experience with public certificates and am definitely not use to this "set in stone" deal.  I've also included my
  reverse proxy urls in the SAN portion but that, last time I checked, is still "Ok" to use one cert for Edge and RP to reduce costs.
  Current Cert Example:
  SN access.domain
  SAN access1.domain
  conf1.domain
  lyncdiscover.domain
  ...etc.
  Edited Certificate
  SN access.domain
  SAN newaccess.domain
  newconf.domain
  Lyncdiscover.domain
  ..etc
  So, my question is as follows:
  Can I save my public cert and myself some heartache by either adding the new entries in the SAN area or using DNS in a way, or did I just learn a costly lesson?

  You're fine if I understand the question.  If the question is: Am I screwed if the common name doesn't match the access edge name? Then the answer is "You're fine".
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  "The subject name of the certificate is the Access Edge service external interface fully qualified domain name (FQDN) or hardware load balancer VIP (for example, access.contoso.com).  Note: For Lync Server 2013, this is no longer a requirement,
  but it is still recommended for compatibility with Office Communications Server. "
  So, recommended and considered good practice, but not required.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Public Certificate for ACS

  Can anyone tell me if there are security issues with using a public certificate on ACS to be utilized for PEAP authentication? Trying to make this more manageable for our Windows Mobile devices and what they have for default for root CA's. Thanks

  I would say partial yes to your post. Since, ACs is going to assign certificate, if ACS server is secure, hence the certifcate.

• Using PowerShell to request a public certificate for webconf. What type should I specify

  Using the PowerShell command below to request a certificate for webconf.domain.com on the Edge. There are at least a dozen "types" I can specify. I was thinking WebServicesExternal but maybe AccessEdgeExternal?? Not sure what to use or if it even
  makes a difference.
  Request-CsCertificate -New –Type WebServicesExternal -ComputerFqdn "edgeserver.domain.com" 
  -FriendlyName "Web Conferencing" –Organization etc......-PrivateKeyExportable $True –DomainName webconf.domain.com –output c:\webconf.txt

  Type will be AccessEdgeExternal and command will be as followingRequest-CsCertificate -New -Type AccessEdgeExternal -Output C:\ <certfilename.txt or certfilename.csr> -ClientEku $true -Template <template name>
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Public certificate DV, OV, EV

  Hi,
  I would like to know if there is a difference between the public certificate for Lync Edge and Reverse Proxy between the type of DV (Domain Validation), OV (Organization Validation) and EV (Extended Validation)?
  Can I use any of these types and are supported?

  Hi Mike-WWW,
  Agree with others.
  In addition, please refer to the following KB to choose the Unified Communications certificate partners.
  https://support.microsoft.com/en-us/kb/929395
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Lync + Exchange certificate

  Hello guys,
  I want to go through the PIC provisioning process so that my lync users can communicate with Skype users. I am aware that i need a public certificate for my edge server in order to do this. Right now i have certificates for my Exchange 2013 and Lync 2013
  from my internal CA and i want to replace the Lync Edge certificate and the Exchange Certificate with a public one(SAN, i want all the FQDNs on one certificate). I have read other articles on this but i want to be sure so please hear me out.
  1) My Lync Edge server has only one external intereface with the FQDN sip.contoso.com. From what i've read i cant use wildcard certificates with this interface, so i must use SANs.
  2) My Exchange uses one namespace: mail.contoso.com. Also i need autodiscover.contoso.com for autodiscovery.
  So the certificate will look something like:
  CN: sip.contoso.com
  SAN: mail.contoso.com, autodiscover.contoso.com
  Do i need to put sip.contoso.com or anything else in SAN also?
  I'm going to test this with an internal certificate before i buy a public one, but i want a second opinion before testing on a production environment.
  Thank you

  Hi,
  I would say , we should include sip.domain.com in certificate SAN entry. Few validation checks will skip subject name and verify SAN in the certificate. Following article may help you ;
  http://technet.microsoft.com/en-us/library/gg398519.aspx
  Thanks
  Saleesh
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Blog : http://blogs.technet.com/b/saleesh_nv/

• CWMS hostnames are not treated as valid subject alternate names for a public certificate

  Hi,
  I have a problem to get s public certificate for my CWMS Server 2.0
  fqdn for public vip is "meet.company.de"
  But the fqdn hostnames for admin and media vm are "admin.company.corp"
  The public certification authority does not accept our CSR because the Subject Alternate Name xxxx.company.corp ist not valid
  Any ideas how we can proceed? Wildcard certificate is not an option.

  Hello,
  There are couple of things you can try to do:
  1. Change the Certification Authority. At least until November 2015, CAs should accept internal company domains and provide SSL certs for them. Not sure what CA you are trying to use, but I've seen Verisign, GoDaddy, Entrust, etc. providing SSL certs for internal domain names (using SAN certs)
  2. Change the FQDNs of your internal VMs. You would need to ensure you configure "company.de" zone in your internal DNS, create DNS entries for all the internal VMs, Private VIP and Admin and WebEx Site for "company.de" domain, and then perform the hostname change on CWMS for all the VMs and Admin site. You can change the VMs hostnames if you go to CWMS Dashboard > System > View More, and by clicking on each VM you will get an option to change the hostname. If the hostname is defined in DNS and resolves to the same IP address as the original hostname, the entry will be properly updated. (NOTE: don't change the IP addresses if not really needed. If needed, take a look at the instructions here) . Once you modified all the hostnames, you can generate new CSR (SAN) and you will get valid internal VM hostnames and your CA will be able to issue you a certificate.
  3. If you end up using the same domain name on all the VMs and VIPs, you may consider wildcard certs (not sure why the are not the option in your case).
  This is all that you can do when it comes to this issue.
  I hope any of this will help.
  -Dejan

• Wildcard certificate for Exchange 2010

  Hi
  I have single exchange 2010 installed. I have installed single domain name on exchange certificate , it expire next month March 2014. I have a plan to buy new Wildcard certificate for the exchange. I access OWA by  ns1.xyz.com/owa  without any
  problem but in my local network my outlook giving certificate error because of single domain name on certificate.
  My question is what name should be on wildcard CSR? Just put the    " *.xyz.com  " or somting else ? That will work in my local area as well OWA and Outlook anywhere ?

  Hi,
  According to your description, your internal URLs have the different host name with the external ones.
  If you don’t want to change the URLs, we need add the following host names in the certificate:
  All the host names in the external and internal URLs including autodiscoverserviceinternalurl;
  Autodiscover.smtpaddresssuffix
  In this case, SAN certificate is more suitable for your environment than wildcard certificate.
  If I misunderstand your meaning, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Exchange 2013 Certificates for Hybrid Deployment Clarification

   I have an Exchange 2013 servers (CAS and Mailbox on separate server) which I wanted to setup for Hybrid deployment. I already have a certificate acquired from 3rd party with 3 names (mail, autodiscover and owa). the certificate was installed in the
  CAS server. As per the hybrid deployment documentation I need also to install a certificate in the mailbox server, questions:
  1. Can I use the same certificate for installation in the mailbox server?
  2. Can I also use the same certificate in the Hybrid Configuration wizard for the "certificate to use with securing the hybrid mail transport"?
  3. Do I need to include the primary smtp domain (xxxxx.com) in the certificate since current configuration points to the mail.xxx.com as the certificate common name?

  Hi,
  Here are my answers you can refer to:
  1. It depends.
  The certificate used for hybrid secure mail transport must be installed on all on-premises Exchange 2013 Mailbox and Client Access servers.
  If you're configuring a hybrid deployment in an organization that has Exchange servers deployed in multiple Active Directory forests, you must use a separate third-party CA certificate for each Active Directory forest.
  2. Yes. But we recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another certificate on your Exchange servers for other needed
  services or features.
  3. Yes. Here are the minimum suggested FQDNs that should be included on certificates: domain.com, autodiscover.domain.com, edge.domain.com
  For more information, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Federation trouble with some partners after public certificate renewal

  I always seem to find the answer to my problems on this Forum , but this time im stuck and need a little help.
  Problem happened after i renewed public certificate on Lync Edge server. Instantly discovered federated partners dropped from 13 to 3. I get presence unknown with the "undiscovered" partners.
  I also got same problem with 2 out of 5 direct/enhanced federated partners.
   Lync mobile ”Push Notifications” also stopped working.
  I updated the certificate 29.october. Since then discovered partners has increased to 7, Lync Mobile ”Push Notifications” started working after avout 2 weeks, but I’m still missing federation with a couple of important partners, 
  and i still dont have federation working with partners using Lync Online (sipfed.online.lync.com). I do however never lost the federation with MSN contacts.
  Looking through the Edge server Event Viewer , I do see alot of ”LS Protocol Stack” – Event id 14502
  A significant number of connection failures have occurred with remote server sip.sarpsborg.com IP xx.xx.xx.xxx. There have been 289 failures in the last 880 minutes. There have been
  a total of 6516 failures.
  The specific failure types and their counts are identified below.
  Instance count  
  - Failure Type
  6095                
  0x80072746(WSAECONNRESET)
  421                
  0x8007274C(WSAETIMEDOUT)
  This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.
  When I Run the “Microsoft Remote Connectivity Analyzer” it is all green except for small warning saying.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root
  Certificates" feature isn't enabled.
  My Certificate is bought from highly respected certificate authority, and it was renewed with the same authority.
  When logging from a client i get these errors.
  ms-diagnostics:
  1047;reason="Failed to complete TLS negotiation with a federated peer server";WinsockFailureCode="10054(WSAECONNRESET)";WinsockFailureDescription="The peer forced closure of the connection";Peer="sip.partnerdomain.com";Port="5061";source="sip.our.domain.no"
  I looks to me like some of my previously federated partners dont like my new certificate, and that they basically need to update their root certificate.
  I’m having a hard time establishing exactly what has gone wrong here.
  Since I now have federation working with 7 partners, Lync Mobile is working with Push notifications and Microsoft Remote Connectitivity Analyser tells me Almost everything is fine.
  Is there anything misconfigured at my installation, or anywhere i can look deeper?
  Or…
  Maybe my public Certificate Authoirty provided me with a certificate that’s ”too new”?
  Or..
  Maybe our federated partners havent updated their Root Server Certificates on their edge server in a while?
  Can anyone help me point me in the right direction where i can look for more information?

  Hi,Jorgen,
  Did you run  Test-CsFederatedPartner and see if it returns successful results?
  Also please check the new certificate is located in the trusted cert store on your Lync server,if not please manually add it under the personal certificates and under trusted root certification authorities,then reboot the Lync server.
  Here is an old thread with similar error message about the same failure type for your reference.
  http://social.technet.microsoft.com/Forums/nl-NL/ocsedge/thread/f2f39c06-cb3a-456d-8578-ee2408116ebb
  If still no luck please turn on Lync server logging and reproduce the issue to get the trace log for more specific information for troubleshooting.
  Regards,
  Sharon
  Sharon Shen
  TechNet Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

• I can not add a new certificate to my exchange 2013

  Hi, I'm trying to create a certificate for my exchange 2013, I do everything correctly, gender certificate in place of my domain certifying entity, downloaded to the exchange server, I go to the window of certificates in the web interface of exchange 2013,
  I click enable the certificate you had created earlier, open the wizard will introduce the route where is located the certificate and click finish me off the wizard window and delete from the list the certificate that had previously created, any suggestions
  or ideas that may be happening ??? Greetings and thanks in advance.

  Hi,
  According to your description, I understand that there are some issues when install the certificate in EAC of Exchange 2013. How do you generate this certificate before you install it? Is it a self-signed certificate or third-party certificate?
  Please run the following command to check your current certificate configuration:
  Get-ExchangeCertificate | FL
  If it is a third-party certificate but the installed certificate is not listed in the command result, we can try to install this certificate by using the following commands:
  Import-exchangecertificate -path “C:\Certificates\GeneratedCert.pfx”
  Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxx -Services POP,IMAP,IIS
  If there is any error during the certificate importing, please share the error or events here for further analysis.
  Regards,
  Winnie Liang
  TechNet Community Support

• Installing certificate on Lync server WS 2008R2 standard

  Hi,
  I'm new to all this. Can someone please help. We are on a domain and recently our Certificate for Lync expired, so now "Lync" is not functioning. We also have an edge server. I know it has expired because I see it in the event viewer. So the
  first question, How do I renew the certificate for Lync, I can't find it on the server. Once I get that information, Do I install the certificate on the Lync server or the Edge server? thank you for helping a newbie!

  Both of those servers (front end and edge) need certificates, you might also want to check for a certificate on a reverse proxy as well (if you ping meet.yoursipdomain.com externally, whatever server that IP NATs to).  You request them using
  the deployment wizard, clicking "Install or Update Lync Server System" then re-running step 3.  Once you have your certificate assigned, you'd need to restart services.  Here's a link that walks through it:
  http://uclobby.com/2013/09/16/renewing-lync-server-20102013-certificates/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Best practices for buying a digital certificate for Exchange 2013

  Good dayfriends,
  Could you indicateme which are the bestpractices when buying
  a public digital certificatefor use onExchangeServer 2013.
  I'd be interested in knowing your opinion about
  using wildcardor SAN certificates.
  Likewise what are the best recommendations
  to include names and why they should or
  should not include the internal FQDN
  of my servers.
  Currently I have an infrastructure that has two
  MailBox servers,two CAS servers and an EDGE
  2010 server, but I'm planning update it to Exchange 2013.
  I searched what are the best
  practices according to Microsoft but
  have found little information.
  I would appreciate
  if you can post links like
  Microsoft KBs and other technical documents that
  discuss the above mentioned.
  Thanking your
  invaluable support.
  Greetings.

  Hi,
  Personal suggestion, we can use two namespaces for your Exchange 2013:
  Autodiscover.domain.com (Used for autodiscover service)
  Mail.domain.com (used for all Exchange services external and internal URLs)
  Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
  For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
  Digital Certificates Best Practices part in the following technet article:
  http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
  Additionally, here are some other scenarios about certificate planning in Exchange 2013:
  http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
  Regards,
  Winnie Liang
  TechNet Community Support