Certificates

Incorrectly issued certificates are a potential problem with Director configuration. Be sure to follow the guidelines outlined here to rule out any certificate issues:

• Subject Name—Ensure that the subject name matches the fully qualified name of the pool.

• Subject Alternative Names—A Director’s SAN field must contain the server name, and any supported SIP domains in the sip.<SIP Domain> format. Additionally, it must include the simple URLs for dialin, meet, lyncdiscover, and admin.

• Key Bit Length—The certificate bit length must be 1024, 2048, or 4096 to be supported by Lync Server 2013.

• Template—The template used to issue the certificate should be based on the web server template. If the Lync Server 2013 certificate wizard is used, the correct template will automatically be applied.

• Private Key—The server certificate must have the private key associated to be used by Lync Server 2013. In situations where certificates are exported or copied between servers, be sure to export the private key with the certificate.

• Certificate Chain—The Director must be able to verify each certificate up to a Trusted Root Certification Authority. Additionally, because the server is presenting the certificate to clients, it must contain each intermediate certificate in the certificate chain.

• Certificate Store—All certificates used by the Director must be in the Personal section of the local computer certificate store. A common mistake is to place certificates in the Personal section of the user account certificate store.

• Certificate Trust—Be sure that the clients and servers communicating with the Director all contain a copy of the top-level certificate authority of the chain in their Trusted Root Certification Authority local computer store. When the certification authority is integrated with Active Directory, this is generally not an issue, but when an offline or nonintegrated certificate authority is used, it might be necessary to install root certificates on clients and servers.