Skype for Business 2015 - Certificate issues

%3CLINGO-SUB%20id%3D%22lingo-sub-328568%22%20slang%3D%22en-US%22%3ESkype%20for%20Business%202015%20-%20Certificate%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328568%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20fresh%20Skype%20for%20Business%202015%20on-premises%20installation%20used%20internally%20only.%20Certificates%20are%20generated%20by%20the%20enterprise%20CA.%20Everything%20works%20fine%20too%20except%20joining%20a%20meeting%20with%20the%20desktop%20app%3A%26nbsp%3B%3CEM%3EWe%20couldn't%20join%20you%20to%20the%20meeting%20because%20the%20security%20certificate%20isn't%20trusted%3C%2FEM%3E.%20This%20message%20cannot%20be%20suppressed.%20Eventually%20we%20will%20want%20to%20make%20it%20available%20from%20outside%20and%20we%20don't%20want%20that%20error%20then%20of%20course.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%20we%20don't%20know%20what%20kind%20of%20certificate%20to%20buy%2C%20really%2C%20because%20it's%20quite%20complicated%3A%201%20forest%20acme.world%20with%2020%20child%20domains%2C%20e.g.%20a.acme.world%2C%20c.acme.world%2C%20d.acme.world%2C%20e.acme.world%2C%20f.acme.world%2C%20etc.%20Externally%2C%20the%20address%20would%20be%20acme.com%20(we%20have%20a%20wildcard%20certificate%20for%20this).%20To%20make%20things%20more%20complicated%2C%20there%20are%20about%2025%20different%20SIP%20domains%20(acmesa.fr%2C%20acmegmbh.de%2C%26nbsp%3B%20acmesrl.it%2C%20acmenv.be%20....)%20too.%26nbsp%3BRight%20now%20the%20server%20itself%20is%20called%20something%20like%20skype123.acme.world%20and%20in%20DNS%20it%20has%20an%20fe.acme.com%20alias.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESuggestions%20on%20making%20certificates%20work%20properly%20are%20welcome.%20Thank%20you%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-328568%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328723%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20for%20Business%202015%20-%20Certificate%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328723%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20error%20says%20that%20the%20certificate%20the%20server%20presents%20is%20not%20trusted.%20So%20you%20need%20to%20ensure%20the%20ca%20(including%20the%20chain)%20used%20to%20sign%20the%20SfB%20server%20certificate%20is%20trusted%20on%20the%20clients.%3CBR%20%2F%3E%3CBR%20%2F%3EGenerating%20a%20certificate%20on%20a%20SfB%20server%20is%20quite%20comfortable%20if%20you%20use%20the%20deployment%20wizard.%20Add%20all%20the%20sip%20domains%20you%20plan%20to%20use%20to%20your%20topology%20and%20then%20use%20the%20wizard%20to%20generate%20the%20CSR.%3CBR%20%2F%3EFor%20the%20internal%20certificate%20there%20is%20no%20need%20buy%20an%20certificate%20as%20long%20as%20your%20ca%20is%20trusted%20on%20your%20clients%20and%20fulfills%20the%20SfB%20certificate%20requirements.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3E%3CBR%20%2F%3EPaul%3C%2FLINGO-BODY%3E
Regular Visitor

Hello.

 

This is fresh Skype for Business 2015 on-premises installation used internally only. Certificates are generated by the enterprise CA. Everything works fine too except joining a meeting with the desktop app: We couldn't join you to the meeting because the security certificate isn't trusted. This message cannot be suppressed. Eventually we will want to make it available from outside and we don't want that error then of course. 

 

The problem is that we don't know what kind of certificate to buy, really, because it's quite complicated: 1 forest acme.world with 20 child domains, e.g. a.acme.world, c.acme.world, d.acme.world, e.acme.world, f.acme.world, etc. Externally, the address would be acme.com (we have a wildcard certificate for this). To make things more complicated, there are about 25 different SIP domains (acmesa.fr, acmegmbh.de,  acmesrl.it, acmenv.be ....) too. Right now the server itself is called something like skype123.acme.world and in DNS it has an fe.acme.com alias.

 

Suggestions on making certificates work properly are welcome. Thank you in advance.

1 Reply
Hello,

the error says that the certificate the server presents is not trusted. So you need to ensure the ca (including the chain) used to sign the SfB server certificate is trusted on the clients.

Generating a certificate on a SfB server is quite comfortable if you use the deployment wizard. Add all the sip domains you plan to use to your topology and then use the wizard to generate the CSR.
For the internal certificate there is no need buy an certificate as long as your ca is trusted on your clients and fulfills the SfB certificate requirements.

Regards,

Paul