Hi,

Please could someone point me to a setup guide for Microsoft PKI to support Lync?

Also, are there any best practices out there with regards to external vs internal CAs, and where to use which one? What about CDPs? Which certificate types are required, etc etc

Does the Lync wizard do everything once a PKI infrastructure is up?

Thank you,

SK

Take a look at: 

http://technet.microsoft.com/en-us/library/gg195796(v=ocs.14).aspx

http://technet.microsoft.com/en-us/library/gg398066(v=ocs.14).aspx

http://blogs.technet.com/b/nexthop/archive/2012/08/20/certificate-authentication-in-lync-server-2010-and-enterprise-pki.aspx

Thank you for the links - but having read them already, my questions still stand.

Let me point to one obvious question: how are the CDPs meant to be configured? None of the 3 links posted explain that. They refer to the fact that they must exist...this much we know...but how? internally available? externally available?

The page entitled "Certificate Requirements for External User Access" doesn't even mention CDPs or CRLs.

..and the list of questions goes on...

...looking forward to some more answers.

thank you

CDP indicate where up-to-date CRLs are stored. If you deploy an internal CA, clients will usually use LDAP to query the CRLs. The issue is the Edge server is not a Domain joined computer, so it won't have access to any LDAP locations. The Edge server can use a http distribution point in that case. 

Jeff Schertz has some good information with revocation and Lync: http://blog.schertz.name/2013/02/certificate-revocation-lync-2013/

For External Access, Third Party certificates are recommended as they are already trusted by clients and the CRLs are published via http.

Also take a look at: http://lyncuc.blogspot.ca/2013/06/lync-certificate-planning-and.html

Hi S.Kwan,

Please refer to "Certificate" section in Jeff's Edge best practices:

http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Here is a great blog about CDP:

http://blogs.technet.com/b/nexthop/archive/2012/12/17/creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority.aspx

Best Regards,

Eason Huang

Thank you Michael & Eason, great articles.

One last question - the certificates issued to the Lync server(s) will no doubt one day expire - what is the common practice around renewing these? Is it typically an automated or a manual process?

Also, do we need to worry about issuing any client certificates?

thanks

It is a manual process, you can follow the same steps used to install the original certificates. Some additional info: http://support.microsoft.com/kb/2736171

 

Thanks...also came across this server-to-server OAuth certificate:

(http://blogs.technet.com/b/dodeitte/archive/2012/11/02/oauth-certifcate-in-lync-server-2013.aspx)

What is this? how is this obtained? is it part of the Lync wizard? is it the default Server Certificate that become the OAuth certificate?

thank you

One more question:

If I deploy the default Microsoft offline Root CA, online issuing Enterprise Subordinate CA (you know the typical best practice deployment, using Windows 2012 as the CAs) - without doing any more configuration - will the default ADCS deployment be enough to run the Lync Certificate Wizard against it?

One more question:

If I deploy the default Microsoft offline Root CA, online issuing Enterprise Subordinate CA (you know the typical best practice deployment, using Windows 2012 as the CAs) - without doing any more configuration - will the default ADCS deployment be enough to run the Lync Certificate Wizard against it? Do we need to create any additional certificate templates, or are the defaults sufficient?