As part of installing and configuration Lync Server 2010 and the mobility service for Lync 2010 you will have to reissue and assigned your new certificates on your Director Servers, Front-End Servers and also on the Reverse Proxy to include the following new SAN’s.

Front-End certificate

• lyncdiscoverinternal.<sipdomain>
• lyncdiscover.<sipdomain>

Director Certificate

• lyncdiscoverinternal.<sipdomain>
• lyncdiscover.<sipdomain>

Reverse Proxy Certificate

• lyncdiscover.<sipdomain>

Reissuing the Front-End and Director Certificate (post CU4 and Mobility and AutoDiscover service install)

If you have already installed CU4 and the Mobility and AutoDiscover service then in order to reissue the certificate for your Front-End’s and Director’s and if you using a Windows Enterprise Certificate Authority then it is easy enough using the following example command from the Lync Shell. (assuming you have permissions to issue certificate, otherwise using the –Output switch as used in the reverse proxy certificate request to generate a good old Certificate Signing Request or use the –CaAccount and –CaPassword switches to provide account details)

Request-CsCertificate –New –Type Default,WebServicesInternal,WebServicesExternal -Ca dc.contoso.local\myca –AllSipDomain –verbose -PrivateKeyExportable $true -DomainName “sip.contoso.com,sip.fabrikam.com” -Country US -State “State” -City “City” -FriendlyName “fe.contoso.com – Front-End Certificate” -Organization “Contoso” -OU “IT”

Note: You don’t need to make the certificate private exportable nor included the friendly name and location, just change the CA path to your ADDS CA server and also the CA name.

This will request and issue the certificate (per below)

In order to assign it, then note the certificate thumbprint from the previous command and then use the following command at the Lync Shell.

Set-CsCertificate -Type Default, WebServicesInternal, WebServicesExternal -Thumbprint <Certificate Thumbprint>

This will assign the certificate to Lync and also to IIS

At this point you should really restart the Lync services or reboot in order for Lync Server to make use of the new certificate, IIS is fine however.

Reissuing the Reverse Proxy Certificate (post CU4 and Mobility and AutoDiscover service install)

Again If you have already installed CU4 and the Mobility and AutoDiscover service then in order to reissue the certificate for your Reverse Proxy then use the following example command:

Request-CsCertificate –New –Type WebServicesExternal –AllSipDomain –verbose -PrivateKeyExportable $true -Output “C:\externalwebservices-certreq.req -Country US -State “State” -City “City” -FriendlyName “lsweb1.contoso.com – External Web Services Certificate” -Organization “Contoso” -OU “IT”

This will generate a certificate signing request to be sent to a 3rd public certificate provider such a Verisign, GoDaddy or Entrust to name a few Lync qualified provider.

Then to import the certificate from public CA and complete the request, do make sure you’ve imported any root and chain certificate before (if required) at the Lync Server:

Import-CsCertificate –Path “C:\externalwebservice-response.cer”

Then export the certificate using the Certificate MMC console with the private key and import it on the reverse proxy and then assign it to the web listener and make the necessary to the publishing rules.

Requesting the Front-End/Director and Reverse Proxy Certificate (pre CU4 and Mobility and AutoDiscovery service install)

In case you want to request to certificate with the correct SAN’s ahead of installing CU4 and the Mobility and AuthDiscover service

Then for the Front-End and Director certificate, use the following:

Request-CsCertificate –New –Type Default,WebServicesInternal,WebServicesExternal -Ca dc.contoso.local\myca –AllSipDomain –verbose -PrivateKeyExportable $true -DomainName “sip.contoso.com,lyncdiscoverinternal.contoso.com,lyncdiscover.contoso.com” -Country US -State “State” -City “City” -FriendlyName “fe.contoso.com – Front-End Certificate” -Organization “Contoso” -OU “IT”

And for the Reverse Proxy certificate, use this:

Request-CsCertificate –New –Type WebServicesExternal –AllSipDomain –verbose -PrivateKeyExportable $true -Output “C:\externalwebservices-certreq.req -Country US -State “State” -City “City” -FriendlyName “lsweb1.contoso.com – External Web Services Certificate” -Organization “Contoso” -OU “IT” -DomainName “lyncdiscover.contoso.com”

Have fun……