Share via


Obtaining Certificates for Group Chat Server

 

Topic Last Modified: 2012-03-06

To install Microsoft Lync Server 2010, Group Chat, you must have a certificate issued by the same certification authority (CA) as the one used by Microsoft Lync Server 2010 internal servers for each server running the Lookup service, Channel service, Web service, and Compliance service. Obtain the required certificate(s) before you start Lync Server 2010, Group Chat, especially if you are using an external CA.

For information about configuring the Web service IIS certificate, see Configuring the Web Service IIS Certificate for Group Chat Server.

You can use the procedures in this topic to obtain a certificate by using an internal enterprise CA and Windows Certificate Services.

To download the CA certification path

  1. With your organization’s root CA offline and your subordinate (issuing) CA server online, sign in to Group Chat Server by clicking Start, clicking Run, typing http://<name of your Issuing CA Server>/certsrv, and then clicking OK.

  2. In the Select a task box, click Download a CA certificate, certificate chain, or CRL.

  3. In Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.

  4. In the File Download dialog box, click Save.

  5. Save the .p7b file on a drive on your server. If you open this .p7b file, the chain contains the following two certificates:

    • <name of Enterprise root CA> certificate

    • <name of Enterprise subordinate CA> certificate

To install the CA certification path

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add.

  4. On the Available Standalone Snap-ins list, click Certificates, and then click Add.

  5. Click Computer account, and then click Next.

  6. In the Select Computer dialog box, click Local computer (the computer this console is running on), and then click Finish.

  7. Click Close, and then click OK.

  8. In the console tree of the Certificates snap-in, expand Certificates (Local Computer).

  9. Expand Trusted Root Certification Authorities.

  10. Right-click Certificates, point to All Tasks, and then click Import.

  11. In the Import Wizard, click Next.

  12. Click Browse, navigate to where you saved the certification chain, click the p7b file, and then click Open.

  13. Click Next.

  14. Accept the default value Place all certificates in the following store and verify that Trusted Root Certification Authorities appears under the Certificate store.

  15. Click Next.

  16. Click Finish.

To request a certificate

  1. Open a web browser, type http://<name of your Issuing CA server>/certsrv, and then press Enter.

  2. Click Request a Certificate.

  3. Click Advanced certificate request.

  4. Click Create and submit a request to this CA.

  5. In Certificate Template, select the web server template.

    Important

    When requesting a certificate through a website, the certificate is installed in the default location: Current User\Personal\Certificates. You need to import the certificate to: Local Computer\Personal. For this reason, the certificate must be exported, and then imported into Local Computer\Personal\Certificates. It may be necessary to create a copy of the web server certificate template that allows an exportable private key. In the certificate request, use this web server template that allows the private key to be exported. For an example, see the following procedure, ‘To create a certificate with an exportable private key.’

  6. In Identifying Information for Offline Template, in Name, type the fully qualified domain name (FQDN) of the server.

  7. In Key Options, in CSP, click Microsoft RSA Channel Cryptographic Provider.

  8. Select the Store certificate in the local computer check box.

  9. Click Submit.

  10. In the Potential Scripting Violation dialog box, click Yes.

To create a certificate with an exportable private key

  1. Use the certreq.inf file and Certutil command to create a certificate with an exportable private key. For example, first create a request.inf file:

    [NewRequest]
    Subject = "CN=server.contoso.com" 
    Exportable = TRUE
    KeyLength = 1024 
    KeySpec = 1
    KeyUsage = 0xA0
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = CMC
    
  2. Issue the following Certutil commands:

    certreq -new request.inf certnew.req
    certreq -submit -attrib "CertificateTemplate:Webserver" certnew.req certnew.cer
    certreq -retrieve <RequestID> certnew.cer
    certreq -accept certnew.cer
    

To install the certificate on the computer

  1. Click Install this certificate.

  2. In the Potential Scripting Violation dialog box, click Yes.

To manually approve a certificate issuance request after the request is made

  1. Log on as a member of the Domain Admins group to the Enterprise subordinate CA server.

  2. Click Start, click Run, type mmc, and then press ENTER.

  3. On the File menu, click Add/Remove Snap-in.

  4. Click Add.

  5. In Add Standalone Snap-in, click Certification Authority, and then click Add.

  6. In Certification Authority, click Local computer (the computer this console is running on).

  7. Click Finish.

  8. Click Close, and then click OK.

  9. In the Microsoft Management Console (MMC), expand Certification Authority, and then expand your issuing certificate server.

  10. Click Pending request.

  11. In the details pane, right-click the request identified by its request ID, point to All Tasks, and then click Issue.

  12. On the server from which you requested the certificate, click Start, and then click Run.

  13. Type http://<name of your Issuing CA Server>/certsrv, and then click OK.

  14. In the Select a task box, click View the status of a pending certificate request.

  15. In the View the Status of a Pending Certificate Request, click your request.

  16. Click Install this certificate.

    Verify that the CA certificate chain that grants trust for certificates issued from your CA has been installed at the following location: console root/certificates (local computer)/trusted root certificate authorities/certificates. This chain contains the root CA certificate.