Adding new SANs to an existing Lync UC SAN Certificate
Replacing a certificate on Lync Edge and Reverse Proxy must be coordinated because it will revoke the original certificate. You might do this when adding new Subject Alternative Names (SANs) to the certificate.
For example, within the GoDaddy SSL Certificate management interface, after selecting your existing certificate, you will click the Re-Key button. You will be prompted to enter a CSR. If you skip this and instead click the Manage button to add any new SAN names, then the certificate will be generated without the private key and be useless.
To generate a new CSR in Lync, go to the Edge server, launch the Deployment Wizard, click Install or Update Lync Server System.
On Step 3, click ‘Run Again’ to launch the Certificate Wizard
Click the Request button
Go through the wizard to generate an offline request. You can then copy and paste the CSR that is generated into the Godaddy CSR window.
After Godaddy your certificate has been issued, you return to the certificate wizard and find that the ‘Process Pending Certificates’ button is greyed out. Don’t panic. This button is only intended for cert requests sent to an online authority but require manual approval.
The correct procedure is to click the Import Certificate button.
On the next screen, you must uncheck the “Certificate file contains certificate’s private key.” At first I was concerned that this would generate a certificate without a private key, but if you think about it, since you have not yet finished processing an offline request, the certificate does not yet have the private key anyway. This is so confusing that some mistake this for a bug. I’m glad I’m not the only one who was fooled by the ‘Process Pending Certificates” button being greyed out!
After completing the request it must be assigned.
You can then export it using the MMC Certificate snap-in and copy it to your Reverse Proxy server. If you do not do this, users trying to join Lync Online Meetings will get a certificate revoked error when clicking on the Join Meeting link because by clicking on the Re-Key, Godaddy updates the Certificate Revocation List (CRL) that your old certificate is no longer valid.
Important: After updating the certificate on the Edge server, all external users must sign out and sign into Lync otherwise when they try to join a Lync Online meeting, they will be immediately kicked out of the conference.