How to Change the Certificate Store Used for Lync Client Certificates


I've gotten this question from time to time from customers about the certificate that Lync issues to users and it showing up in the certificate picker for users.  The Lync server issues a certificate to the clients with the Client Authentication Enhanced Key Usage (EKU), so the certificate can sometimes show up in the certificate picker in Windows.  This can cause confusion for users on which certificate they should pick.  Since the certificate from Lync isn't issued from the corporate PKI environment, it's not trusted by anything other than the Lync server, so choosing it can really cause some issues:

If you open up the certificates MMC for the user and take a look at the Personal certificate store, you'll see both certificates that were shown in the certificate picker:

You can actually change the certificate store that the Lync certificate is kept in.  In order to make the change, you will need to sign out of Lync and select "Delete my sign-in info":

Next, open the Registry Editor and navigate to:

HKLM\Software\Policies\Microsoft\Office\15.0\Lync

for Lync 2013/Skype for Business 2015 or

HKLM\Software\Policies\Microsoft\Office\16.0\Lync

for Skype for Business 2016.  Create a new DWORD named UseLyncCertStore with a value of 1.

Note: You can also create this registry under HKCU if you'd like.

Sign back into the Lync client and if you now look in the Personal certificate store, you'll notice that the certificate issued by the Lync server isn't shown:

That's because there's now a new certificate store called LyncCertStore that contains the certificate:

Now when the user gets the certificate picker, only their user certificate is shown:

 

This should help to alleviate some confusion from user's on which certificate to choose.

Comments (12)

  1. turbomcp says:

    excellent
    thanks

  2. Tywin Lannister says:

    This also solves an issue where a Lync 2010 certificate in the users personal store causes a 'The server cannot validate the certificate' error on first launch of Lync 2013.
    Thank you.

  3. Anuraag Kate says:

    Hello Doug! Does this work for Lync 2010 as well?

  4. dodeitte says:

    @Anuraag Kate

    Not that I'm aware of.

  5. Allen Stalker says:

    Hid Doug, do you know if this will work for Skype for Business 2016?
    I can't find that registry key for Skype for Business 2016.

  6. EUC says:

    It was not working for Lync 2010, does any one have idea about to implement it for Lync 2010 ?

  7. Allen Stalker says:

    Hi Doug - Just following up on my previous comment. I wanted to see if you had any idea how to do this for Skype for Business 2016. Any help would be greatly appreciated!

  8. dodeitte says:

    @Allen Stalker

    I just tried with the Skype for Business 2016 client and it still works. I placed the value in HTLMSoftwarePoliciesMicrosoftOffice16.0Lync. I didn't try with HKCU, but my guess is that it should work there as well.

  9. dodeitte says:

    @EUC

    I'm not aware of a way to do this with the Lync 2010 client.

  10. Emanuele says:

    Thank you very much! You solved my issue!

  11. user says:

    How about windows 10?
    There is no such container Lync CertStore in certmgr.msc

    1. dodeitte says:

      I have the LyncCertStore folder on my Windows 10 machine.

Skip to main content