Requesting SSL certificate for Lync 2013

I'm attempting to request an SSL certificate for a Microsoft Lync server however when I try to request the certificate, GoDaddy is giving me the following error:
You must use a fully-qualified primary domain name for a UCC Certificate Request.


The error makes sense because the name of the primary subject name is NT-LYNC01.domain.local.

How do I change the Lync server so that clients don't connect to NT-LYNC01.domain.local but instead NT-LYNC01.domain.com?
Adeste1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
The CN that you need to use when generating the certificate must be NT-LYNC01.domain.com, then you can import after Godaddy signed the certificate.

Regards
0
Nick RhodeIT DirectorCommented:
Create another DNS zone (internally) for domain.com or what it is you need and create the pointer records within that zone
0
Jeff_SchertzCommented:
Most public CAs will no longer issue certificates containing FQDNs using an invalid Top Level Domain.  This article explains the limitation and what options you have available:

http://blog.schertz.name/2013/01/lync-server-certificate-cliff
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Adeste1Author Commented:
Thanks Jeff_Schertz for the link.

I found the following link within your link that explains what steps are needing to take place:
http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/

I'm still having a problem though because when I create the CSR, the primary domain name in the SSL certificate is still NT-LYNC01.domain.local. Now when I attempted to submit the CSR to GoDaddy, I get a different but very similar error:
You must use a fully-qualified primary domain name for a UCC Certificate Request.

How do I change the primary domain name in the SSL certificate request?
0
Jeff_SchertzCommented:
You can't change the name in the request, you have to change the name of the server and hence the entire AD namespace.  That is why this is such a problem.  You're best bet is to deploy an internal Microsoft Enterprise CA so you can issue your own certificates to hosts on your internal .local domain.
0
Nick RhodeIT DirectorCommented:
Internally do you have a 2nd DNS zone that is domain.com alongside your original domain.local in the DNS Server?
0
Adeste1Author Commented:
Jeff_Schertz: So if I understand correctly, if you have an active directory domain that end with .local then it's not possible to get a SSL certificate from a trusted CA?

NRhode: Not currently but creating a DNS zone is very simple.
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Yes, .local is not a valid TdL
0
Adeste1Author Commented:
This might be comparing apples to oranges but in Exchange, there are ways to bypass the clients from connecting to the internal server name (exchange.domain.local) and only resolve to the external domain:
Reference: http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

Using that technique, we can continue to renew SSL certificates without the need to include the .local subject names.

There's no way to do something similar with Lync?
0
Jeff_SchertzCommented:
That approach is not applicable here.  The issue is that the OP needs to issue a certificate to the internal Lync Server which must contain (a) the server's own FQDN in additions to (b) extra FQDNs in the SIP domain.  You cannot work around this by forcing internal clients to hairpin all traffic to external services, Lync is much more complex than Exchange.

So a typical example might look like:

SN: lync1.domain.local
SAN: sip.company.com, meet.company.com, admin.company.com, etc...

Because the Lync server is a domain member and part of the internal AD namespace it MUST be in the certificate to support both client-to-server TLS connections as well as server-to-server MTLS connections.

The ONLY option is to get a certificate issued from a CA which will still allow the inclusion of invalid TLDs which are basically none of the public CAs. You need to deploy an internal Enterprise Windows CA so you can issue your own certificates to the internal servers.  You would still use a public CA for external certs but the internal namespace would never be included in any external-facing certs.
0
Adeste1Author Commented:
Thanks for your detailed reply.

So from what I understand it's possible to have 2 certificates? One for internal use and issued by an internal enterprise CA and another certificate for external use which is issued by a public CA?

How would I go about doing this?
0
Jeff_SchertzCommented:
Correct, but these two certificates are used on different servers.  The private CA cert would assigned to the internal Front End server and the public CA cert would assigned to the external web services and Edge server.

You should read though this article explains in detail what the best practices for manging certificates across the various internal and external roles in Lync server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff_SchertzCommented:
Would help if I included the link to the article I referenced :)

http://blog.schertz.name/2012/07/lync-edge-server-best-practices
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.