Request/Renewing Skype for Business Server 2015 Certificates

Following the same idea as in the Renewing Lync Server 2010/2013 Certificates, here are the steps to request or renew certificates in Skype for Business Server 2015.

Most of the steps are similar to Lync Server 2010/2013, so to start let’s go to the well-known Deployment Wizard Step 3 and click Run or Run Again (depending on if you are requesting for the first time or renewing the certificates).


Now, in Certificate Wizard, we select the proper certificate and then click Request:


The Certificate Request wizard will open and we can notice that this user interface changed from Lync Server 2010/2013. Now we have all the basic information to request a certificate consolidated in a single window:


Note: In the Edge Server, the certificate request is the same as in Lync Server 2010/2013, therefore we don’t have the new consolidated view.

We can use the Advanced mode (also known as old Lync Server 2013 mode), in case we need to specify one of the following settings:

  • Create an Offline Request


  • Specify another CA


  • Specify different CA credentials


  • Use a different Certificate Template


  • Change key bit length and/or Mark the certificate private key as exportable


  • Add additional SAN names


After that, we will return to the initial Certificate Request screen. Don’t forget to select the SIP Domains served by this server:


In the next screen, check if all the details are correct:


If the certificate request is successful, we get Task status: Completed:


Continuing with our request, select the Assign this certificate to Skype for Business Server certificate usages option:


Note: Before requesting a new certificate, we need to make sure that the Root CA certificate is installed in the Trusted Root Certification Authorities under the Local Computer Certificate Store:


The Certificate Assignment wizard will be launched, and we can view the details or continue:


Before assigning the certificate, we need to verify the details:


Task status: Completed confirms that the certificate was correctly assigned:


We have just assigned the new certificate, so all we need now is to restart the services on the Front End. In case we have a Front End Enterprise Pool, keep in mind that we need to check if there are enough Front End servers running before restarting the services. In order to do this, simply use the Get-CsUpdatePoolReadiness.

Finally, if there are enough Front End servers to keep the pool running, we can proceed and restart the services with the following cmdlets: