Issuing longer (5 year) Internal CA Certificates to Skype for Business Servers

Certificates, Skype for Business One comment

By default, when you assign certificates issued by an Internal Certificate Authority to Lync & Skype for Business Servers (e.g. Front End, Internal Edge, etc), based on the Web Server template, they will be valid for two years.

Two years quickly pass by, and it can be an involved task to generate new certificates, especially across enterprise deployments.

If agreeable with corporate security, I generally create a new template to issue five year certificates.  Note five years is the maximum that the Skype for Business Server Deployment Wizard accepts.

Open the Certificate Authority MMC.  Right click Certificate Templates, click Manage.

Cert1

Right click the Web Server template, click Duplicate Template.

Cert2

Edit the properties of the New Template.  Change the Template Name & Display Name to something meaningful (here I’m going with SfB_Template).  Set the validity period to 5 years.  Click OK.

Cert4

Right click Certificate Templates, click New > Certificate Template to Issue.

Cert5

SfB_Template is now visible in Enable Certificate Templates.  Click OK.

Cert6

SfB_Template now appears in Certificate Templates.

Cert7

Certificates can now be issued.  The following is an overview of using the Skype for Business Server Deployment Wizard requesting and assigning a new certificate for a SfB Front End Server, specifying the SfB_Template.

Cert8

Click on the Default certificate, click Request.

Cert9

Select the Internal CA, set a friendly name, select the SIP domain.  Click Advanced.

Cert10

Check “Send the request immediately to an online certification authority”.  Click Next.

Cert11

Click Next.

Cert12

Check “Use alternative certificate template for the selected certification authority”.  Enter the template name (SfB_Template).  Click Next.

Cert13

Bit length should be 2048 (the default), click Next.

Cert14

Add any additional SAN names if required.  Click Finish.

Cert15

Verify details, click Next.

Cert16

Review the Certificate Request Summary.  Click Next.

Cert17

Click Next.

Cert18

Click Finish.

Cert19

View Certificate Details: as you can see from the certificate properties, the certificate is valid for five years.   Click OK.

Cert20

Click Next.

Cert21

Review the Certificate Assignment Summary. Click Next.

Cert22

Click Finish.

Cert23

Click Close.

Cert24

One comment

  1. Pingback: Request-CsCertificate – Command execution failed: Denied by Policy Module – x500:/

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s