Renewing Lync Server 2010/2013 Certificates

One common thing that is asked by customers is: “How do I renew Lync Server Certificates?” If not asked, then sometimes we get a customer with certificate issues or even with Lync services off because of an error in certificates creation/renew (or even people that forget to renew the certificate).
So, moving on, we decided to create this “how-to” article.

The process involved in renewing Lync Certificate is almost the same involved in its creation. What we recommend is, check on Lync Server the SAN entries that are being used at the moment, and take note of them. This will prevent you from creating a certificate without all the necessary entries, which would bring you issues with, perhaps, a determined SIP.

renew1

  • Use the Lync Deployment Wizard and go to “Install or Update Lync Server System”, “Request Install or Assign Certificates“, and click on the desired certificate and on the button “View”, and take note of the entries.
  • After taking note, you can click on OK to get back to the Certificate Wizard and click on Request.

renew2

  • On the next screen, click on OK.
  • This article focus on Internal Certificate renew (we’ll explain the differences to External Certificate Request in the end), so select the option “Send the Request immediately to an online certification authority“.
  • On the next screen, select the internal certificate authority that will be used to create the certificate.

renew3

  • On the next screen, you’ll only need to fill in the data if it is necessary to use different credentials for the certification authority.
  • Similarly, on the next screen, you’ll have to change the certificate model only if you use a model different than “WebServer”. Usually, no changes are needed here.
  • Fill the certificate name as desired and, if you want, mark the private key as exportable.

renew4

  • Fill the local info.
  • Now, check if the data is according with the expected.  It might occur that some SAN entries are missing, so you’ll be able to add them later.

renew5

  • On the next screen, select the SIP domains needed – make sure to check the note that you did in the beginning by looking the certificate that is about to expire or by checking the topology.
  • As said before, on the next screen you’ll be able to add the SANs that are missing. Remember, use the old certificate as a reference. Don’t forget to click on Add after each URL.

renew6

  • On the next screen, check if the results are as expected, as these informations will be on the certificate.
  • Now, the certificate will be requested and, if everything goes fine, the result “Completed” will appear and you’ll be able to go on.
  • Lync will not request you to assign the certificate, so you can click on Next.
  • Again, it will show the information about the new certificate, so check if everything is fine and click Next.
  • The certificate will be assigned, and you can finish the process.
  • In the end, you’ll be back to the Certificate Wizard, so check in the field “Friendly Name” if the name of the new certificate is associated and also the expiration date.

renew7

  • After finishing the process you’re going to need to restart the FE services. This is the bigger impact on the environment, as this can cause unavailability. If you have more than one FE, then this will cause no real impact, but it’s recommended to schedule the process to your maintenance window.
    To restart the services, you can use the cmdlet Stop-CsWindowsService to stop the services, and then Start-CsWindowsService to start again.
  • This process needs to be done at each FE, since the same certificate cannot be used on other FEs.

Tip: Eventually, Lync doesn’t open the wizard to assign the certificate after creating it. In this case, check if the certificate is present on the FE server on the “Personal” container. If this is the case, use the Certificate Wizard to assign the certificate, by using the button “Assign”. If the certificate is not on the “Personal” container, check if the CA created the certificate and copy the certificate to this container, and then you’ll be able to see it on the Certificate Wizard to assign it.

External Certificate Request (Edge)

The same process can be followed for External Certificate Renewal/Request. The only main difference is, that instead of sending the certificate to CA immediately, you have to choose “Prepare the request now, but send it later (offline certificate request)“. In the end, a offline file for the certificate request will be generated. You can share this file content with the external certification authority. When the CA sends you the certificate, you’ll be able to assign the certificate by using the Certificate Wizard.