Exchange UM Certificate Confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-116881%22%20slang%3D%22en-US%22%3EExchange%20UM%20Certificate%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116881%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20currently%20have%20Exchange%202010%20%26amp%3B%202016%20with%20Lync%20Server%202013.%26nbsp%3B%20Right%20now%2C%20we%20have%20Exchange%202010%20UM%20setup%20as%20a%20single-role-server.%26nbsp%3B%20The%20UM%20server%20uses%20a%20self-signed%20certificate%20and%20Lync%20only%20works%20with%20UM%20if%20we%20imported%20this%20self-signed%20certificate%20onto%20each%20Lync%20FE%20server.%26nbsp%3B%20Our%20Exchange%20%26amp%3B%20Lync%20environments%20uses%26nbsp%3Bseparate%203rd%20party%20Digicert%20certificates.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we're%20deploying%20Exchange%202016%20(with%20all%20roles%20on%20it)%2C%20we'd%20like%20to%20avoid%20having%20to%20import%20multiple%20certificates%20onto%20each%20Lync%20server%20and%20avoid%20using%20Self-signed.%20From%20what%20I%20have%20been%20reading%2C%20it%20says%20you%20need%20to%20have%20the%20FQDN%20of%20each%20UM%20server%20in%20the%20SAN%20certificate%20including%20any%20of%20the%20DNS%20names%20that%20Lync%20uses.%26nbsp%3B%20Our%20current%26nbsp%3BExchange%20certificate%20is%20used%26nbsp%3Bfor%20every%20service%20internally%20and%20externally%20and%26nbsp%3Bsame%20goes%20for%20Lync%2C%20respectively.%26nbsp%3B%20We'd%20like%20to%20not%20have%20to%20purchase%20another%20certificate%20that%26nbsp%3Bonly%20has%20the%20FQDNs%20of%20each%20Exchange%20server%20nor%20have%20to%20put%20the%20FQDNs%20in%20one%20of%20the%20current%20certificates.%26nbsp%3B%20Any%20suggestions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20that%20makes%20sense.%20Thanks%20for%20your%20help%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-116881%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELync%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESkype%20for%20Business%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUnified%20Messaging%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668461%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20UM%20Certificate%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668461%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72226%22%20target%3D%22_blank%22%3E%40Craig%20Unterborn%3C%2FA%3E%2C%20what%20I%20usually%20do%20in%20ensure%20that%20the%20FQDN%20of%20the%20server%20hosting%20the%20UM%20service%20is%20present%20in%20the%20SAN%20entry%20of%20the%20Exchange%20cert.%20Then%20simply%20assign%20the%20cert%20to%20the%20UM%20services.%20Since%20all%20the%20Lync%5CSkype%20servers%20trust%20the%20issuing%20authority%20they%20will%20in%20turn%20trust%20the%20UM%20services.%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20how%20you%20progress.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We currently have Exchange 2010 & 2016 with Lync Server 2013.  Right now, we have Exchange 2010 UM setup as a single-role-server.  The UM server uses a self-signed certificate and Lync only works with UM if we imported this self-signed certificate onto each Lync FE server.  Our Exchange & Lync environments uses separate 3rd party Digicert certificates.

 

As we're deploying Exchange 2016 (with all roles on it), we'd like to avoid having to import multiple certificates onto each Lync server and avoid using Self-signed. From what I have been reading, it says you need to have the FQDN of each UM server in the SAN certificate including any of the DNS names that Lync uses.  Our current Exchange certificate is used for every service internally and externally and same goes for Lync, respectively.  We'd like to not have to purchase another certificate that only has the FQDNs of each Exchange server nor have to put the FQDNs in one of the current certificates.  Any suggestions?

 

I hope that makes sense. Thanks for your help in advance.

1 Reply
Highlighted

Hi @Craig Unterborn, what I usually do in ensure that the FQDN of the server hosting the UM service is present in the SAN entry of the Exchange cert. Then simply assign the cert to the UM services. Since all the Lync\Skype servers trust the issuing authority they will in turn trust the UM services.

Let us know how you progress.