I’ve gotten this question from time to time from customers about the certificate that Lync issues to users and it showing up in the certificate picker for users. The Lync server issues a certificate to the clients with the Client Authentication Enhanced Key Usage (EKU), so the certificate can sometimes show up in the certificate picker in Windows. This can cause confusion for users on which certificate they should pick. Since the certificate from Lync isn’t issued from the corporate PKI environment, it’s not trusted by anything other than the Lync server, so choosing it can really cause some issues:
If you open up the certificates MMC for the user and take a look at the Personal certificate store, you’ll see both certificates that were shown in the certificate picker:
You can actually change the certificate store that the Lync certificate is kept in. In order to make the change, you will need to sign out of Lync and select “Delete my sign-in info”:
Next, open the Registry Editor and navigate to:
for Lync 2013/Skype for Business 2015 or
for Skype for Business 2016. Create a new DWORD named UseLyncCertStore with a value of 1.
Note: You can also create this registry under HKCU if you’d like.
Sign back into the Lync client and if you now look in the Personal certificate store, you’ll notice that the certificate issued by the Lync server isn’t shown:
That’s because there’s now a new certificate store called LyncCertStore that contains the certificate:
Now when the user gets the certificate picker, only their user certificate is shown:
This should help to alleviate some confusion from user’s on which certificate to choose.