Posted  by 

Generate Microsoft Lync Private Key

Generate Microsoft Lync Private Key 3,0/5 5839 reviews

The private key will remain hidden on the windows system where the CSR request is made. To generate a CSR on a Lync 2013 system perform the following. Step 1: Generating your CSR: From the start menu click on the Lync Deployment Wizard. Click Install or Update Lync Server System. Under the Request, Install or Assign Certificate section click Run. Jun 09, 2019  This article describes how to recover a private key after you use the Certificates Microsoft Management Console (MMC) snap-in to delete the original certificate in Internet Information Services (IIS). You delete the original certificate from the personal folder in the local computer's certificate store. Jun 09, 2019 Log on to the computer that issued the certificate request by using an account that has administrative permissions. Click Start, click Run, type mmc, and then click OK. On the File menu, click. Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, click Add. Click Certificates, and then click.

Feb 14, 2014 To generate a certificate signing request on the computer where the certificate and private key will be assigned, you do the following: Creating a certificate signing request Open the Microsoft Management Console (MMC) and add the Certificates snap-in and select Computers, then expand Personal. Aug 11, 2016  Microsoft Lync wants to use the OCKeyContaineremailaddress keychain prompt I keep getting prompted to enter my keychain password 'OCKeyContaineremailaddress' keychain, but this keychain does not exist. Deleting the OCKeyContainer files allowed Lync to start back up again and create a new one.

-->

Topic Last Modified: 2012-09-08

Important

When you run the Certificate Wizard, ensure that you are logged in using an account that is a member of a group that has been assigned the appropriate permissions for the type of certificate template you will use. By default, a Lync Server certificate request will use the Web Server certificate template. If you use an account that is a member of the RTCUniversalServerAdmins group to request a certificate using this template, verify that the group has been assigned the Enroll permissions required to use that template.

Each Edge Server requires a public certificate on the interface between the perimeter network and the Internet, and the certificate’s subject alternative name must contain the external names of the Access Edge service and Web Conferencing Edge service fully qualified domain names (FQDNs).

For details about this and other certificate requirements, see Certificate requirements for external user access in Lync Server 2013.

For a list of public certification authorities (CAs) that provide certificates that comply with specific requirements for unified communications certificates and have partnered with Microsoft to ensure they work with the Lync Server 2013 Certificate Wizard, see Microsoft Knowledge Base article 929395, 'Unified Communications Certificate Partners for Exchange Server and for Communications Server,' at https://go.microsoft.com/fwlink/p/?linkId=202834.

Configuring Certificates on the External Interfaces

To set up a certificate on the external edge interface at a site, use the procedures in this section to do the following:

  • Create the certificate request for the external interface of the Edge Server.

  • Submit the request to your public CA.

  • Import the certificate for the external interface of each Edge Server.

  • Assign the certificate for the external interface of each Edge Server.

  • If your deployment includes multiple Edge Servers, export the certificate along with its private key, and then copy it to the other Edge Servers. Then, for each Edge Server, import it and assign it as previously described. Repeat this procedure for each Edge Server.

You can request public certificates directly from a public certification authority (CA) (such as from the website of a public CA). The procedures in this section use the Certificate Wizard for most certificate tasks. If you chose to request a certificate directly from a public CA, then you will need to modify each procedure as appropriate to request, transport, and import the certificate and also to import the certificate chain.

When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (that is, specific user and group names) are allowed to request, issue, manage, or read certificates.

If you decide to use the Certificates Microsoft Management Console (MMC) to import the certificate chain and certificate, you must import them to the certificate store for the computer. If you import them to the user or service certificate store, the certificate will not be available for assignment in the Lync Server 2013 Certificate Wizard.

To create the certificate request for the external interface of the Edge Server

  1. On the Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.

    Note

    If your organization wants to support public instant messaging (IM) connectivity with AOL, you cannot use the Lync Server Deployment Wizard to request the certificate. Instead, perform the steps in the “To create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL” procedure later in this topic.
    If you have multiple Edge Servers in one location in a pool, you can run the Lync Server 2013 Certificate Wizard on any one of the Edge Servers.

  2. On the Available Certificate Tasks page, click Create a new certificate request.

  3. On the Certificate Request page, click External Edge Certificate.

  4. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box.

  5. On the Certificate Request File page, type the full path and file name of the file to which the request is to be saved (for example, c:cert_exernal_edge.cer).

  6. On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, select the Use alternative certificate template for the selected certification authority check box.

  7. On the Name and Security Settings page, do the following:

    • In Friendly name, type a display name for the certificate.

    • In Bit length, specify the bit length (typically, the default of 2048).

    • Verify that the Mark certificate private key as exportable check box is selected.

  8. On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department).

  9. On the Geographical Information page, specify the location information.

  10. On the Subject Name/Subject Alternate Names page, the information to be automatically populated by the wizard is displayed. If additional subject alternative names are needed, you specify them in the next two steps.

  11. On the SIP Domain Setting on Subject Alternate Names (SANs) page, select the domain check box to add a sip.<sipdomain> entry to the subject alternative names list.

  12. On the Configure Additional Subject Alternate Names page, specify any additional subject alternative names that are required.

  13. On the Request Summary page, review the certificate information to be used to generate the request.

  14. After the commands finish running, do the following:

    • To view the log for the certificate request, click View Log.

    • To complete the certificate request, click Next.

  15. On the Certificate Request File page, do the following:

    • To view the generated certificate signing request (CSR) file, click View.

    • To close the wizard, click Finish.

  16. Copy the output file to a location where you can submit it to the public CA.

To create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL

  1. When the required template is available to the CA, use the following Windows PowerShell cmdlet from at the Edge Server to request the certificate:

    The default certificate name of the template provided in Lync Server 2013 is Web Server. Only specify the <template name> if you need to use a template that is different from the default template.

    Note

    If your organization wants to support public IM connectivity with AOL, you must use Windows PowerShell instead of the Certificate Wizard to request the certificate to be assigned to the external edge for the Access Edge service. This is because the Lync Server 2013 Web Server template that the Certificate Wizard uses to request a certificate does not support client EKU configuration. Before using Windows PowerShell to create the certificate, the CA administrator must create and deploy a new template that supports client EKU.

To submit a request to a public certification authority

  1. Open the output file.

  2. Copy and paste the contents of the Certificate Signing Request (CSR).

  3. If prompted, specify the following:

    • Microsoft as the server platform.

    • IIS as the version.

    • Web Server as the usage type.

    • PKCS7 as the response format.

  4. When the public CA has verified your information, you will receive an email message containing text required for your certificate.

  5. Copy the text from the email message and save the contents in a text file (.txt) on your local computer.

To import the certificate for the external interface of the Edge Server

  1. Log on as a member of the Administrators group to the same Edge Server on which you created the certificate request.

  2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 3: Request, Install, or Assign Certificates, click Run again.

  3. On the Available Certificate Tasks page, click Import a certificate from a .p7b, pfx or .cer file.

  4. On the Import Certificate page, click Browse to locate and select the certificate that you requested for the external interface of the Edge Server (or, you can type the full path and file name). If the certificate contains a private key, select Certificate file contains certificate’s private key and type the password for the private key. Click Next.

  5. On Import Certificate Summary page, review the summary and then click Next.

  6. On Executing Commands, review the results of the import, click View Log for more information as needed, and then click Finish to complete the certificate import.

  7. If you are configuring an Edge Server pool, export the certificate with its private key as outlined in the “To export the certificate with the private key for Edge Servers in a pool” procedure later in this topic. Copy the exported certificate file to the other Edge Servers, and import it into the computer store on each Edge Server.

Generate microsoft lync private key software

To export the certificate with the private key for Edge Servers in a pool

  1. Log on as a member of the Administrators group to the same Edge Server on which you imported the certificate.

  2. Click Start, click Run, and type MMC.

  3. In the Microsoft Management Console (MMC) console, click File, and then click Add/Remove Snap-in.

  4. In Add or Remove Snap-ins, click Certificates, and then click Add.

  5. In the Certificates dialog box, select Computer account, click Next, select Local computer: (the computer this console is running on) in Select Computer, click Finish and then click OK to complete configuration of the MMC console.

  6. Double-click Certificates (Local Computer) to expand the certificate stores, double-click Personal, and then double-click Certificates.

    Important

    If there are no certificates in the Certificates Personal store for the local computer, there is no private key associated with the certificate that was imported. Review the request and import steps. If the problem persists, contact your certification authority administrator or provider.

  7. In the Certificates Personal store for the local computer, right-click the certificate that you are exporting, click All Tasks, and then click Export.

  8. In the Certificate Export Wizard, click Next, select Yes, export the private key, and then click Next.

    Note

    If the selection Yes, export the private key is not available, the private key associated with this certificate was not marked for export. You will need to request the certificate again, ensuring that the certificate is marked to allow for the export of the private key before you can continue with the export. Contact your certification authority administrator or provider.

  9. On the Export File Formats dialog, select Personal Information Exchange – PKCS#12 (.PFX) and then select the following:

    • Include all certificates in the certification path if possible

    • Export all extended properties

      Warning

      When exporting the certificate from an Edge server, do not select Delete the private key if the export is successful. Selecting this option will require that you import the certificate and the private key to this Edge server.

  10. Click Next.

  11. Type a password for the private key, type the password again to confirm, and then click Next.

  12. Type a path and file name for the exported certificate, using a file extension of .pfx. The path must either be accessible to all other Edge servers in the pool or available to transport by means of removable media - for example, a USB flash drive. Click Next.

  13. Review the summary in Completing the Certificate Export Wizard, and then click Finish.

  14. In the successful export dialog box, click OK.

  15. Import the exported certificate file to the other Edge servers following the steps outlined in the “To import the certificate for the external interface of the Edge Server” procedure earlier in this topic.

To assign the certificate for the external interface of the Edge Server

  1. On each Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.

  2. On the Available Certificate Tasks page, click Assign an existing certificate.

  3. On the Certificate Assignment page, click External Edge Certificate and select the Advanced Certificate Usages check box.

  4. On the Advanced Certificate Usages page, select all check boxes to assign the certificate for all usages.

  5. On the Certificate Store page, select the public certificate that you requested and imported for the external interface of the Edge Server.

    Note

    If the certificate you requested and imported is not in the list, one of the trouble shooting methods is to verify that subject name and subject alternative names of the certificate meet all requirements for the certificate and, if you manually imported the certificate and certificate chain instead of using the preceding procedures, that the certificate is in the correct certificate store (the computer certificate store, not the user or service certificate store).

  6. On the Certificate Assignment Summary page, review your settings, and then click Next to assign the certificates.

  7. On the wizard completion page, click Finish.

  8. After using this procedure to assign the edge certificate, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the certificate is listed.

  9. If your deployment includes multiple Edge Servers, repeat this procedure for each Edge Server.

-->

Topic Last Modified: 2014-02-14

You need to install the root certification authority (CA) certificate on the server running Microsoft Forefront Threat Management Gateway 2010 or IIS ARR for the CA infrastructure that issued the server certificates to the internal servers running Microsoft Lync Server 2013.

You also must install a public web server certificate on your reverse proxy server. This certificate’s subject alternative names should contain the published external fully qualified domain names (FQDNs) of each pool that is home to users enabled for remote access, and the external FQDNs of all Directors or Director pools that will be used within that Edge infrastructure. The subject alternative name must also contain the meeting simple URL, the dial-in simple URL, and, if you are deploying mobile applications and plan to use automatic discovery, the external Autodiscover Service URL as shown in the following table.

ValueExample

Subject name

Pool FQDN

webext.contoso.com

Subject alternative name

Pool FQDN

webext.contoso.com

Important

The subject name must also be present in the subject alternative name.

Subject alternative name

Optional Director Web Services (if Director is deployed)

webdirext.contoso.com

Subject alternative name

Meeting simple URL

Note

All meeting simple URLs must be in the subject alternative name. Each SIP domain must have at least one active meeting simple URL.

meet.contoso.com

Subject alternative name

Dial-in simple URL

dialin.contoso.com

Subject alternative name

Office Web Apps Server

officewebapps01.contoso.com

Subject alternative name

External Autodiscover Service URL

lyncdiscover.contoso.com

Note

If you are also using Microsoft Exchange Server you will also need to configure reverse proxy rules for the Exchange autodiscover and web services URLs.

Note

If your internal deployment consists of more than one Standard Edition server or Front End pool, you must configure web publishing rules for each external web farm FQDN and you will either need a certificate and web listener for each, or you must obtain a certificate whose subject alternative name contains the names used by all of the pools, assign it to a web listener, and share it among multiple web publishing rules.

Create a Certificate Request

Generate Microsoft Lync Private Key Mac

You create a certificate request on the reverse proxy. You create a request on another computer, but you must export the signed certificate with the private key and import it onto the reverse proxy once you have received it from the public certification authority.

Note

A certificate request or a certificate signing request (CSR) is a request to a trusted public certification authority (CA) to validate and sign the requesting computer’s public key. When a certificate is generated, a public key and a private key are created. Only the public key is shared and signed. As the name implies, the public key is made available to any public request. The public key is for use by clients, servers and other requesters that need to exchange information securely and validate a computer’s identity. The private key is kept secured and is used only by the computer that created the key pair to decrypt messages encrypted with its public key. The private key can be used for other purposes. For reverse proxy purposes, data encipherment is the primary use. Secondarily, the certificate authentication at the certificate key level is another use, and is limited only to validation that a requester has the computer’s public key, or that the computer that you have a public key for is actually the computer that it claims to be.

Tip

If you plan your Edge Server certificates and your reverse proxy certificates at the same time, you should notice that there is a great deal of similarity between the two certificate requirements. When you configure and request your Edge Server certificate, combine the Edge Server and the reverse proxy subject alternative names. You can use the same certificate for your reverse proxy if you export the certificate and the private key and copy the exported file to the reverse proxy and then import the certificate/key pair and assign it as needed in the upcoming procedures. Refer to the certificate requirements for the Edge Server Plan for Edge Server certificates in Lync Server 2013 and the reverse proxy Certificate summary - Reverse proxy in Lync Server 2013. Make sure that you create the certificate with an exportable private key. Creating the certificate and certificate request with an exportable private key is required for pooled Edge Servers, so this is a normal practice and the Certificate Wizard in the Lync Server Deployment Wizard for the Edge Server will allow you to set the Make private key exportable flag. Once you receive the certificate request back from the public certification authority, you will export the certificate and the private key. See the section “To export the certificate with the private key for Edge Servers in a pool” in the topic Set up certificates for the external edge interface for Lync Server 2013 for details on how to create and export your certificate with a private key. The extension of the certificate should be of type .pfx.

To generate a certificate signing request on the computer where the certificate and private key will be assigned, you do the following:

Creating a certificate signing request

Generate Microsoft Lync Private Keys

  1. Open the Microsoft Management Console (MMC) and add the Certificates snap-in and select Computers, then expand Personal. For details on how to create a certificates console in the Microsoft Management Console (MMC), see https://go.microsoft.com/fwlink/?LinkId=282616.

  2. Right-click Certificates, click All Tasks, click Advanced Operations, click Create Custom Request.

  3. On the Certificate Enrollment page, click Next.

  4. On the Select Certificate Enrollment Policy page under Custom Request, select Proceed without enrollment policy. Click Next.

  5. Dell bios master key generator. On the Custom Request page, for Template select (No template) Legacy key. Unless otherwise directed by your certificate provider, leave Suppress default extensions unchecked and the Request format selection on PKCS #10. Click Next.

  6. On the Certificate Information page, click Details, then click Properties.

  7. On the Certificate Properties page on the General tab in the Friendly Name field, type a name for this certificate. Optionally, type a description in the Description field. The Friendly Name and description are typically used by the Administrator to identify what the certificate purpose is, such as Reverse Proxy Listener for Lync Server.

  8. Select the Subject tab. Under Subject name for the Type, select Common name for the Subject name type. For the Value, type the subject name that you will use for the reverse proxy, and then click Add. In the example provided in the table in this topic, the subject name is webext.contoso.com and would be typed into the Value field for the Subject name.

  9. On the Subject tab under Alternative name, select DNS from the drop down for Type. For each defined subject alternative name that you require on the certificate, type the fully qualified domain name, then click Add. For example, in the table there are three subject alternative names, meet.contoso.com, dialin.contoso.com, and lyncdiscover.contoso.com. In the Value field, type meet.contoso.com, then click Add. Repeat for each subject alternative names that you need to define.

  10. On the Certificate Properties page, click the Extensions tab. On this page, you will define the cryptographic key purposes in Key usage and the extended key usage in Extended Key Usage (application policies).

  11. Click the Key usage arrow to show the Available options. Under Available options, click Digital signature, then click Add. Click Key encipherment, then click Add. If the checkbox for Make these key usages critical is unchecked, select the checkbox.

  12. Click the Extended Key Usage (application policies) arrow to show the Available options. Under Available options, click Server Authentication, then click Add. Click Client Authentication, then click Add. If the check box for Make the Extended Key Usages critical is checked, unselect the checkbox. Contrary to the Key usage checkbox (which must be checked) you must be sure that the Extended Key Usage checkbox is not checked.

  13. On the Certificate Properties page, click the Private Key tab. Click the Key options arrow. For Key size, select 2048 from the drop down. If you are generating this key pair and CSR on a computer other than the reverse proxy that this certificate is intended for, select Make private key exportable.

    Security Note:
    Selecting Make a private key exportable is generally advised when you have more than one reverse proxy in a farm because you will copy the certificate and the private key to each machine in the farm. If you do allow for an exportable private key, you must take extra care with the certificate and the computer that it is generated on. The private key, if compromised, will render the certificate useless as well as potentially expose the computer or computers to external access and other security vulnerabilities.

  14. On the Private Key tab, click the Key type arrow. Select the Exchange option.

  15. Click OK to save the Certificate Properties that you have set.

  16. On the Certificate Enrollment page, click Next.

  17. On the Where do you want to save the offline request? page, you are prompted for a File Name and a File Format for saving the certificate signing request.

  18. In the File Name entry field, type a path and filename for the request, or click Browse to select a location for the file and type the filename for the request.

  19. For File format, click either Base 64 or Binary. Select Base 64 unless you are instructed otherwise by the vendor for your certificates.

  20. Locate the request file that you saved in the previous step. Submit to your public certification authority.

    Important

    Microsoft has identified Public CAs that meets the requirements for Unified Communications purposes. A list is maintained in the following knowledge base article. https://go.microsoft.com/fwlink/?LinkId=282625