I used to do support calls some time back for Lync / SfB and I would be a rich man if every time I picked up a case it was to do with Certificates expiring or not being trusted correctly.
Now if you are reading this you no doubt have an implementation of SfB or Lync Server and know how reliant the product is on Certificates both Externally and Internally. Well I wanted to create a post that would help you when it comes to renewal time. However, before I go into that why not think about extending the period for the certs issued to Lync / SfB Server? This great article can assist with this http://chrishayward.co.uk/2014/02/24/lync-create-certificate-template-with-a-validity-period/
Firstly why aren’t you using SCOM to monitor the environment and the certificates?
Here’s a couple of articles on how to do this if you are getting into SCOM:
Ok, so not everyone has SCOM so how can you ensure you don’t end up with an expired certificate. Well use a shared calendar or put it in your calendar or send a meeting request prior to its expiration. ANYTHING to prevent it from expiring and users then complaining to the service desk that they cant use Voice / Conferencing / Connect Externally etc. We want an easy life as Lync / SfB admins. The problem with this is that people come and go and those calendars etc could be removed or deleted in error. So this absolutely prenominal tool http://www.ehloworld.com/1360 should be used. The guy is a legend in my eyes. So basically if you don’t have SCOM use this. Simple.
So now you have been alerted a couple of weeks BEFORE the expiration, now its time to think about where certs have to be renewed. Well inevitably a lot of the certs will expire at once (maybe within a few weeks of each other) because we implemented all the servers at the same time and even the External Cert we probably purchased at the same time as deploying it internally.
Here is a list of Servers / Locations you need to think about if you are not being alerted by SCOM:
- FrontEnd Servers – This is easy as you just have to run the Deployment Wizard. You need to drain the server first to ensure users don’t experience downtime. http://windowsitpro.com/lync/lync-2013-server-draining Once this is done you can update the cert and I recommend that you restart the Frontend Service or all of them if it makes you feel more comfortable (Stop-CSWindowsService / Start-CSWindows Service) once you get the new cert
- Edge Servers – Don’t forget that Edge has both Internal cert from your Internal CA and Public Certificate (Don’t forget the intermediate cert if required). See this post http://lyncme.co.uk/microsoft-lync-server-2013/the-complete-home-lync-lab-part-3-installing-lync-2013-monitoring-and-lync-edge-server/ for how to create a request for the internal cert, the same concept applies for renewals.
- Mediation Servers – Exactly the same process at FrontEnd servers with the exception of the services. Restart the services (Stop-CSWindowsService / Start-CSWindows Service) once you get the new cert
- Director Servers – Exactly the same process at FrontEnd servers with the exception of the services. Restart the services (Stop-CSWindowsService / Start-CSWindows Service) once you get the new cert.
- Persistent Chat Servers – Exactly the same process at FrontEnd servers with the exception of the services. Restart the services (Stop-CSWindowsService / Start-CSWindows Service) once you get the new cert.
- Trusted Application Servers – Are you running SIP over SSL with your SIP Trunk provider?
- Session Border Controllers – ?
- Exchange Servers – Its a Trusted Application!
- Load Balancers – These have a cert too!
- Reverse Proxy – Load Balancers (These can do Reverse Proxy) / Web Application Proxy (WAP) / TMG / UAG / Firewall
- Office Online Server (previously WAC or Office Web Apps Server) – This can have both internal and external cert depending on your configuration.
- Video Interoperability Servers (VIS) – Integration with Cisco etc over SSL
- Anything else you may have integrated with Lync or Skype for Business Server
And finally, this tool DigiCert Certificate Utility for Windows is an absolute god send.