Starting with Lync Server 2010 and now with Lync Server 2013, Certificate management was much improved over previous OCS platforms with the ability to itemize certificates across the environment. More specifically, on the Lync Server Front ends you can now apply up to 3 unique certificates to each server. A description is provided for each certificate below:
Click to view
In a typical deployment, a single certificate can be issued and applied to all 3 services, which in turn simplifies certificates that much more and also keeps costs low. There are times, however, that certificates may need to be itemized, or “broken out” into 2 or maybe 3 certificates and applied individually to each service.
In my latest deployment, the amount of SIP domains required for the certificates pushed the certificate’s SAN limitation which required me to itemize the certificates into 2 certificates. In this particular deployment, I issued a single certificate that is applied to both “Default” and “Web Internal” and created a 2nd certificate to apply only to “Web External”. With additional proper planning, I was able to share this certificate across all Front Ends of all 4 pools and the HLBs of the deployment. Because this certificate has all the External Web Services names of all pools, it can also be applied to the TMGs (Reverse Proxy) if the organization is okay with having Internal Server FQDNs listed on a certificate that is applied to a public facing Reverse Proxy. You may have noticed I implied that there are Internal Server FQDN’s listed on the External Web Services certificate; This is indeed a requirement. As you can see from the Subject Name / Common Name field of the “Web External” certificate, it states the FQDN of the server is required. In my experience, the name of the server does not need to be the SN/CN, but rather in the SAN of the certificate, this way the certificate can then be shared across however many servers you may be deploying. If you do plan to use this single certificate across all FE’s in all of your pools, you must list every Server FQDN in the certificate. If not, the following 41029 Lync Web App error will occur, which will break your the communication to your Lync Web App for external Users. The blacked out FQDN you see from the picture is actually the FQDN of the server itself, not the pool. If all the FE FQDNs are not listed in the SAN of the certificate, each FE in the pool will have a communication error to each FE in the pool, including itself. So the end story is, Include FQDNs of each server in the SAN that you plan to apply the certificate too, to remove this annoying error.
Click to view: