Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to update Lync 2013 deployment certificates?

Posted on 2014-11-05
5
Medium Priority
?
3,088 Views
Last Modified: 2014-11-07
A consultant setup our Lync 2013 server about a year ago and that includes the following servers.
An internal Lync front end server - lync.domain.com
An external Lync edge server in the DMZ - lyncedge.domain.com
Office Web Apps in the DMZ for sharing office documents in Lync online meetings - webapps.domain.com

An IIS AAR Reverse Proxy in the DMZ and in the Intermediate DMZ.  This is the actual endpoint if your off our network, all the appropriate IP's come into this guy, which does the job of directing you to the proper resources internally.

We have recieved an email from GoDaddy that states the following:

As we mentioned earlier, we recently switched from using SHA-1 certificates to the more secure SHA-2 algorithm for new certificates.
Google Chrome is a very popular internet browser. Starting in November, they'll begin displaying errors on the padlock icon for any website using SHA-1 SSL certificates.
 
 
 
It appears the following SSL certificate(s) are still using the SHA-1 algorithm. Please re-key them now to update to SHA-2 and avoid problems in November.
lync.domain.com
lyncedge.domain.com
webapps.domain.com
Please re-key your certificate(s) today to avoid alarming any visitors on your website. If you have any questions, take a look at the instructions below or call our SSL team at (480) 463-8887.

Sincerely,
GoDaddy

Follow these directions to re-key your certificate:
 
1.        Log in to your Account Manager.

 
2.       Click SSL Certificates.
 
3.       Next to the certificate you want to re-key, click View Status.
 
4.       Click Manage.
 
5.       Click Re-Key certificate.
 
6.       In the Certificate Signing Request (CSR) field, paste your new CSR, including:
---BEGIN NEW CERTIFICATE REQUEST--- and ---END CERTIFICATE REQUEST---
 
7.       Click Save.
 
8.       Click Submit All Saved Changes.


Now I don't want to forget anything as this is in production and people are using Lync.  What is the proper order of getting the new certificates installed and where do I go about getting the CSR (from which server(s))?

I really do not want to pay the consultant to do this if I can get this done.  Is this done via PowerShell on Lync front end server, or is this just done in IIS, or what?
0
Comment
Question by:ITdiamond
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Ganesh Kumar A
ID: 40423798
Start the installation of Lync 2013 media and run setup.

To generate a new CSR in Lync, go to the Edge server, launch the Deployment Wizard, click Install or Update Lync Server System. You will see it is complete with green tick mark.

Click Run again and generate the CSR, i assume you use google ucc certificates. Use the generated CSR and follow the steps mentioned by the Google to regenerate the certificate. Once you are done with the certificate import the same certificate. You must do with the public certificate, not the internal one.
0
 
LVL 8

Accepted Solution

by:
Steven Sheeley earned 2000 total points
ID: 40423806
In a nutshell, you are going to need to request the new certificates from GoDaddy. Since you already have certs from GoDaddy, I don't think you'll need a new CSR as they've stated above, you'll simply re-key them. Once you've been issued the new certs, on each server that your have a cert for from GoDaddy, run the Lync Server 2013 Deployment Wizard and follow the steps in this document:  http://www.entrust.net/knowledge-base/technote.cfm?tn=8759

This article also gives some good pointers:  http://blog.rassie.dk/2013/05/how-to-request-and-assign-a-certificate-to-a-lync-2013-edge-server/
0
 

Author Comment

by:ITdiamond
ID: 40423821
Those are great links Steven.  Do I need to do anything special with the IIS Reverse Proxy?
0
 
LVL 8

Expert Comment

by:Steven Sheeley
ID: 40423834
Sorry I missed the IIS AAR server in my initial answer. This article covers everything you need concerning IIS certs:  http://technet.microsoft.com/en-us/library/cc732230(v=WS.10).aspx
0
 

Author Closing Comment

by:ITdiamond
ID: 40429005
This was exactly what I needed, thank you!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question