When you deploy Lync and assign internal certificates to your Lync servers (E.g. Front End, Internal Edge, SBA and Gateways) by default you will only have a 2 year certificate from the “Web Server” template. I like to create a new Certificate Template for Lync with a 5 year lifespan as it can be quite annoying having to renew certificates, especially on the Edge servers and Gateways where you have to export the cert request. I have tried creating a 10 year Certificate Template but the Lync Deployment Wizard complains that the cert is valid for over 5 years. It’s also a good idea to set your Certificate Authority validity period to a long period, I usually opt for 20/25 years. This article will cover how to create a 5 year Certificate Template for Lync. By assigning Certificates to your Lync servers with a longer validity period you won’t have to renew them as often.
First of all, open Certification Authority console. Right click “Certificate Templates” and click “Manage”.
Now we will duplicate the default Web Server certificate. In the Certificate Templates Console right click “Web Server” and click “Duplicate Template”.
Click the “General” tab. Enter a display name (e.g. LyncServer) and change the validity period to 5 years. Click “Apply”. You should also check that the Private Key is exportable in the Request Handling tab.
Back in the Certification Authority console, right click “Certificate Templates”, click “New” > “Certificate Template to Issue”.
In the “Enable Certificate Templates” window, select “LyncServer” and click “OK”
Next we need to allow the Certificate Authority to issue certificates that are valid for more than 2 years. From an elevated command prompt (run as administrator) run the following:
certutil -setreg ca\ValidityPeriodUnits 5
Restart the Certificate Authority service:
When requesting internal Certificates in Lync Deployment Wizard you should now specify “LyncServer”:
Now you don’t need to worry about Lync internal certs for 5 years.
I recommend that you monitor your certificates expiry dates, SCOM works great for the certs on Lync servers. If you use TLS on your gateways you should make sure you monitor those certificates too with a third party application/script.
Update 2015: This will also work for Skype For Business 2015, however I recommend naming the Template something more generic like “UCCert”.
Technical Architect at Symity
Pingback: NeWay Technologies – Weekly Newsletter #84 – February 28, 2014 | NeWay
Pingback: Lync – Increase Internal Certificate Validity Period | Henrik Börjesson's UC-Blog
Pingback: Certificate Expiry Checklist | greiginsydney.com
Pingback: Renewing Certificates for Lync / Skype for Business Server – Gareth's Blog