Adding new SANs to an existing Lync UC SAN Certificate

 

Replacing a certificate on Lync Edge and Reverse Proxy must be coordinated because it will revoke the original certificate. You might do this when adding new Subject Alternative Names (SANs) to the certificate.

For example, within the GoDaddy SSL Certificate management interface, after selecting your existing certificate, you will click the Re-Key button. You will be prompted to enter a CSR. If you skip this and instead click the Manage button to add any new SAN names, then the certificate will be generated without the private key and be useless.

image

To generate a new CSR in Lync, go to the Edge server, launch the Deployment Wizard, click Install or Update Lync Server System.

image

On Step 3, click ‘Run Again’ to launch the Certificate Wizard

image

Click the Request button

image

Go through the wizard to generate an offline request. You can then copy and paste the CSR that is generated into the Godaddy CSR window.

After Godaddy your certificate has been issued, you return to the certificate wizard and find that the ‘Process Pending Certificates’ button is greyed out. Don’t panic. This button is only intended for cert requests sent to an online authority but require manual approval.

image

The correct procedure is to click the Import Certificate button.

On the next screen, you must uncheck the “Certificate file contains certificate’s private key.” At first I was concerned that this would generate a certificate without a private key, but if you think about it, since you have not yet finished processing an offline request, the certificate does not yet have the private key anyway. This is so confusing that some mistake this for a bug. I’m glad I’m not the only one who was fooled by the ‘Process Pending Certificates” button being greyed out!
http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/363a3efa-fc8c-4fd3-a26e-1bee86705ab1/

image

After completing the request it must be assigned.

image

You can then export it using the MMC Certificate snap-in and copy it to your Reverse Proxy server.  If you do not do this, users trying to join Lync Online Meetings will get a certificate revoked error when clicking on the Join Meeting link because by clicking on the Re-Key, Godaddy updates the Certificate Revocation List (CRL) that your old certificate is no longer valid.

Important: After updating the certificate on the Edge server, all external users must sign out and sign into Lync otherwise when they try to join a Lync Online meeting, they will be immediately kicked out of the conference.

Leave a Reply

x

We use cookies to ensure the best possible experience on our website. Detailed information on the use of cookies on this site is provided in our Privacy and Cookie Policy. Further instruction on how to disable our cookies can be found there.