Certificate for Lync 2013

rasa78 used Ask the Experts™
Hello, I have a lync 2013 installed under the domain mycompany.com (internal and external using .com) is it possible to use a public certificate instead of internal certificate ? and what type of certificate is require for internal and external .

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

yes --- you can use Public certificate - as long as internal domain is using a "Public" domain part (like .com or .net)

You can use a regular SAN certificate, from Digicert. But be aware that the internal certificate require quite a few SAN names, so it might be costly.
And you could - for the sake of simplicity use same certificate for internal and edge - but that would require even more SAN names
Manpreet SIngh KhatraSolutions Architect, Project Lead
Top Expert 2013

Also do keep in mind cert shouldnt have internal Domain Names as thats something which will be out soon and impact later

- Rancy


Thanks for all , i'm using .net , but i think is better to have a public certificate and i think is better to manage and on top of that i have multiple domain in the same network so i can avoid copy the certificate to all the clients from the different domains right ?
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

It depends...
You can distribute root certificates also via GPO, this simplifies the process.
A public certificate can resolved anywhere as long as the client has internet access, otherwise you have to distribute the public root cert chain as well.
An advantage of your own PKI is, that the cert can be renewed automatically while a public certificate has to be replaced manually.

On the other hand, if you want to federate with other domains or in the public, you need anyway a public cert, at least on the external gateway.

If you decide for a public cert, make sure you have tested everything before and create the correct request. If you make a mistake, you have to issue a new cert with additional costs. A cert from your own PKI can be changed at any time until you are sure, everything is working as expected. If everything is fine, you can replace it by a public cert.
@Bembi is correct. Distribution of root and intermediate certs are easily done through GPOs, and an internal PKI is rather flexible - but if it's not installed already, you'd need some planning and work to get it up and running as per best practice.

For the public certs, if you buy from a well known vendor, I'd recommend DigiCerts - you can easily change CSR and certificate for no extra cost, other than the cost of adding extra SANs.


Many thanks for all .

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial