As part of an ongoing commitment to security, the Lync team is making a change to the SSL certificate chain, which will require customers and partners to take action before June 1, 2013. Lync Server currently uses the GTE CyberTrust Global Root, and on June 1st will begin using the Baltimore CyberTrust Root. The new root certificate uses a strong 2048-bit key length and hashing algorithm, which ensures we remain consistent with industry-wide security best practices.
Author: Moustafa Noureddine, Microsoft Senior Program Manager
Contributor: Conal Walsh
Published: May 13, 2013
Product version: Lync Online
IMPORTANT NOTE If you have installed the latest updates, you are already covered. In fact, if you are running Microsoft Support diagnostics, you won’t encounter this issue.
As part of our ongoing commitment to security, the Lync team is making a change to the SSL certificate chain, which will require our customers and partners to take action before June 1, 2013. Lync Server currently uses the GTE CyberTrust Global Root, and on June 1st will begin using the Baltimore CyberTrust Root. The new root certificate uses a strong 2048-bit key length and hashing algorithm, which ensures we remain consistent with industry-wide security best practices.
If your service does not accept certificates chained to both the GTE CyberTrust Global Root and the Baltimore CyberTrust Root, please take action before June 1st to avoid certificate validation errors. While we seek to minimize the need for customers to take specific action based on changes we make to Lync Server, we believe this is an important security improvement. You will need to download the Baltimore CyberTrust Root.
On June 1, 2013, all of our servers will be on Baltimore certificates. So please ensure that your Lync Server deployments have been updated to trust the Baltimore Root prior to that date.
As an IT Admin, if you perform Windows Updates regularly:
- ·All you have to do is validate that the new Baltimore Root certificate is already present in the “(LocalComputer) Trusted Root Certification Authorities” certificate store on each Microsoft-facing Server.
If you do not perform Windows Updates regularly or the new Baltimore Root certificate is not appearing in the certificate trusted root store:
- You can perform Windows Update for this requirement or import the Baltimore Root to each Microsoft-facing server. You will need to download the Baltimore Root certificate.
Various Lync Server services are exposed to customers over protocols that are secured by certificates. Applications that call these services implement their own certificate validation checks—the equivalent of the test that your browser uses to verify the certificate before showing the “lock” icon. The details of these checks vary per application. These checks often include validation of the root certificate in the certificate chain against a trusted root list. Currently, Lync Server uses SSL/TLS certificates that chain to the GTE CyberTrust Global Root.
What is Changing?
All of the SSL/TLS certificates exposed by Lync Servers Online are being migrated to new chains rooted by the Baltimore CyberTrust Root. We expect to continue to use the Baltimore CyberTrust Root for the foreseeable future. However, as part of our commitment to security, we will continue to make changes as industry security standards and threat mitigations evolve.
This change is being implemented on Microsoft owned domain names and does not change domain names you have specified for your hosted service.
The Baltimore CyberTrust Root is widely trusted by a number of operating systems, including Windows, Windows Phone, Android and iOS, and by browsers, such as Internet Explorer, Safari, Chrome, Firefox, and Opera. We expect that the vast majority of customers will not experience any issues due to this change.
However, some customers may experience certificate validation failures if their servers do not include the Baltimore CyberTrust Root in their trusted root lists. Customers with such servers must modify these servers to accept both the Baltimore CyberTrust Root and the GTE CyberTrust Global Root. We advise our customers to make this change no later than June 1, 2013, as Lync servers will be using the new certs by that date. Customers who do not have the Baltimore CyberTrust root in their trusted root lists and do not take the prescribed action will receive certificate validation errors, which may impact the availability of their services.
As a best practice, we recommend that our customers do not hard-code trusted root lists for certificate validation. Instead, we recommend using policy-based root certificate validation that can be updated as industry standards or certificate authorities change. For many customers, the default trusted root list provided as part of your operating system or browser distribution is a reasonable mechanism. In other cases, more restrictive organization-wide policies may be implemented to meet regulatory or compliance requirements.
About the Author
|Moustafa Noureddine joined Microsoft in 2008 and has worked in the Windows division, Office division, and now the combined Lync and Skype division. Today, he is a Senior Lead Program Manager on the Enterprise Asynchronous Communications team in the Skype Division. This includes Enterprise IM & Presence, Enterprise Federation, Compliance, and Integration with various Office components, such as Exchange and SharePoint.|
- Lync Server Federation with Microsoft.com: Root Certificate Change
- Service Updates for Office 365 for enterprises, mid-size businesses, and education
Lync Server Resources
We Want to Hear from You