LYNC Server 2013 Certificate Renewal

I renewed my UCC certificate for my Lync 2013 server but cannot get it to import or assign in Lync.  We cannot connect without the certificate installed properly.

We did the new CSR and added our domains to it (meet, sip, autodiscover, etc...) sent it up to GoDaddy and issued and downloaded the new cert but following the steps in the Deployment Wizard we cannot get the certificated installed.

Thanks!
lrmcenterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
MIght be that the certificate request is made from another server than the one your importing it into? When you create a request, the private key is stored on the computer where you create the request, thus the certificate you get back from CA has to be imported to the same computer
0
lrmcenterAuthor Commented:
I only have 1 server and the request was generated on the same machine we are trying to import it on.

Thanks
0
Jakob DigranesSenior ConsultantCommented:
start MMC -  choose certificate snap-in and choose Local Computer
Is certificate imported there?
if so - when you open certificate - does it say that you the private key?
also - look at certificate chain - is that populated with all intermediate and root certs or do you have an error saying "you don't have enough info to vailidate certifiate"?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

lrmcenterAuthor Commented:
The certificate is in the Intermediate Certificate Authority certificate folder but only shows a 2048 RSA Public Key.

The certificate chain is valid.
0
Kamal KhaleefaInformation Security SpecialistCommented:
Is there any error ? After importing
If no errors just restart the server if still not working add it to IIS for both web sites  and you will need then to restart IIS and lync  services
And after you finish successfully you need to export configuration and import it to edge server
0
Jakob DigranesSenior ConsultantCommented:
the certificate shouldnt be in intermediate store. Then you're importing the wrong certificate. It must be imported into personal store.
You've imported the certificate chain certificates, rather than your certificate.
0
lrmcenterAuthor Commented:
The certificate is not showing a Private Key ...
0
Kamal KhaleefaInformation Security SpecialistCommented:
Add it manually in iis
0
Kamal KhaleefaInformation Security SpecialistCommented:
For internal and external website
0
lrmcenterAuthor Commented:
Here is a screenshot when importing it through the Lync Deployment wizard ...
LyncCert.png
0
lrmcenterAuthor Commented:
We also you the Video Conferencing and IM internally.
0
Kamal KhaleefaInformation Security SpecialistCommented:
I dont get you
Does IM work internally?
0
lrmcenterAuthor Commented:
Nothing is working ... Lync client cannot contact the server and login .... On the server itself the "Lync Front-End" service will not start with error 1067 Process terminated unexpectedly (typical  MS error code)
0
Kamal KhaleefaInformation Security SpecialistCommented:
Ok
Can you open iis ->certificate
And check it if only renew one exist and old one deleted
Iis is same as lync deployment wizard
Just be sure you assign default cert for server default
And public one for website external
If there is a way to connect to ur srv i wont mind solving it for u
0
Jakob DigranesSenior ConsultantCommented:
if you start MMC - Certificates and choose My Computer and look in PERSONAL - is you certificate present there?

also - run the command
get-CsCertificate | fl
From Lync Management Shell and post result here
0
lrmcenterAuthor Commented:
PS C:\Users\lyncadmin> get-CsCertificate | fl


Issuer                        : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter                  : 10/22/2018 10:31:41 AM
NotBefore                  : 10/26/2015 9:53:38 AM
SerialNumber            : 189BF44077C863D3
Subject                        : CN=meetings.mydomain.com, OU=Domain Control Validated
AlternativeNames      : {meetings.mydomain.com, www.meetings.mydomain.com, lyncdiscover.mydomain.com,lyncadmin.mydomain.com...}
Thumbprint                  : DB33E5D0EF7F8DFDCAA77EA9480AB58D07F1C388
EffectiveDate            :
PreviousThumbprint      :
UpdateTime                  :
Use                              : Default
SourceScope                  :

Issuer                        : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter                  : 10/22/2018 10:31:41 AM
NotBefore                  : 10/26/2015 9:53:38 AM
SerialNumber            : 189BF44077C863D3
Subject                        : CN=meetings.mydomain.com, OU=Domain Control Validated
AlternativeNames      : {meetings.mydomain.com, www.meetings.mydomain.com, lyncdiscover.mydomain.com,lyncadmin.mydomain.com...}
Thumbprint                  : DB33E5D0EF7F8DFDCAA77EA9480AB58D07F1C388
EffectiveDate            :
PreviousThumbprint      :
UpdateTime                  :
Use                              : WebServicesInternal
SourceScope                  :

Issuer                        : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter                  : 10/22/2018 10:31:41 AM
NotBefore                  : 10/26/2015 9:53:38 AM
SerialNumber            : 189BF44077C863D3
Subject                        : CN=meetings.mydomain.com, OU=Domain Control Validated
AlternativeNames      : {meetings.mydomain.com, www.meetings.mydomain.com, lyncdiscover.mydomain.com,lyncadmin.mydomain.com...}
Thumbprint                  : DB33E5D0EF7F8DFDCAA77EA9480AB58D07F1C388
EffectiveDate            :
PreviousThumbprint      :
UpdateTime                  :
Use                              : WebServicesExternal
SourceScope                  :

Issuer                        : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter                  : 10/22/2018 10:31:41 AM
NotBefore                  : 10/26/2015 9:53:38 AM
SerialNumber            : 189BF44077C863D3
Subject                        : CN=meetings.mydomain.com, OU=Domain Control Validated
AlternativeNames      : {meetings.mydomain.com, www.meetings.mydomain.com, lyncdiscover.mydomain.com,lyncadmin.mydomain.com...}
Thumbprint                  : DB33E5D0EF7F8DFDCAA77EA9480AB58D07F1C388
EffectiveDate            : 10/26/2015 5:04:46 PM
PreviousThumbprint      :
UpdateTime                  :
Use                              : OAuthTokenIssuer
SourceScope                  : Global
0
lrmcenterAuthor Commented:
Hang on .... It seems to be working now!  Yee Hee!

Let me see what step did it and I will post and award points!
0
Jakob DigranesSenior ConsultantCommented:
OK --- you're using a public certificate for Lync Front End?
what is your internal domain name?
is it domain.com or domain.local?
What is you pool-name or Front End server FQDN?

If clients are domain joined, I'd recommend using internal certificates, since you need several SAN Names on certificates, these are needed:

Lync Front End (should be internal):
lyncdiscover.domain.com
lyncdiscoverinternal.domain.com
meetings.domain.com (internal IP - you set URL in Topology Builder))
dialin.domain.com (internal IP - if you decide to use conferencing dial in)
lync.domain.com (internal IP - Lync internal webservices - you set this in Topology Builder)
sip.domain.com (Internal IP)

Reverse Proxy - Must be Public Cert)
lyncdiscover.domain.com
dialin.domain.com
lync.domain.com
lyncdiscover

Edge Server (Must be Public Cert)
sip.domain.com (Client LogIN)
webconf.domain.com (Web Conferencing)

It might be that you're missing some SANs in internal cert

btw; you won't need www.meetings.domain.com
0
Jakob DigranesSenior ConsultantCommented:
0
lrmcenterAuthor Commented:
Here are the two links I found that helped to solve the issue.  The second link is the one that did the trick.


http://howdouc.blogspot.com/2010/12/repairing-invalid-certificate-for.html

https://www.digicert.com/util/


May thanks to all but Me and my Sr. Sys Admin figured this one out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmcenterAuthor Commented:
After trying the suggested steps by all who contributed we found that our own research helped to resolve the issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Conferencing Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.