Certificate Requirements for Internal Servers
Topic Last Modified: 2012-10-13
Internal servers that are running Microsoft Lync Server 2010 communications software and that require certificates include Standard Edition server, Enterprise Edition Front End Server, A/V Conferencing Server, Mediation Server, and Director. The following table shows the certificate requirements for these servers. You can use the Microsoft Lync Server 2010 certificate wizard to request these certificates.
Tip
Wildcard certificates are supported for the subject alternative names associated with the simple URLs on the Front End pool, Front End Server, or Director. For details about wildcard certificate support, see Wildcard Certificate Support.
Although an internal enterprise certification authority (CA) is recommended for internal servers, you can also use a public CA. For a list of public CAs that provide certificates that comply with specific requirements for unified communications (UC) certificates and have partnered with Microsoft to ensure they work with the Lync Server Certificate Wizard, see article Microsoft Knowledge Base 929395, "Unified Communications Certificate Partners for Exchange Server and for Communications Server," at https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395.
The following tables show certificate requirements by server role for Front End pools and Standard Edition servers. All these are standard web server certificates, private key, non-exportable.
Note that server enhanced key usage (EKU) is automatically configured when you use the certificate wizard to request certificates.
Certificates for Standard Edition Server
| Certificate | Subject name/ Common name | Subject alternative name | Example | Comments |
|---|---|---|---|---|
Default |
Fully qualified domain name (FQDN) of the pool |
FQDN of the pool and the FQDN of the server If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs. If this pool is the auto-logon server for clients and strict Domain Name System (DNS) matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have). |
SN=se01.contoso.com; SAN=se01.contoso.com If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.contoso.com; SAN=sip.fabrikam.com |
On Standard Edition server, the server FQDN is the same as the pool FQDN. The wizard detects any SIP domains you specified during setup and automatically adds them to the subject alternative name. |
Web internal |
FQDN of the server |
Each of the following:
|
SN=se01.contoso.com; SAN=se01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com Using a wildcard certificate: SN=se01.contoso.com; SAN=se01.contoso.com; SAN=*.contoso.com |
Internal web FQDN cannot be overwritten in Topology Builder. If you have multiple Meet simple URLs, you must include all of them as subject alternative names. Wildcard entries are supported for the simple URL entries. |
Web external |
FQDN of the server |
Each of the following:
|
SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com Using a wildcard certificate: SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=*.contoso.com |
If you have multiple Meet simple URLs, you must include all of them as subject alternative names. Wildcard entries are supported for the simple URL entries. |
Certificates for Front End Server in a Front End Pool
| Certificate | Subject name/ Common name | Subject alternative name | Example | Comments |
|---|---|---|---|---|
Default |
FQDN of the pool |
FQDN of the pool and FQDN of the server. If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs. If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have). |
SN=eepool.contoso.com; SAN=eepool.contoso.com; SAN=ee01.contoso.com If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.contoso.com; SAN=sip.fabrikam.com |
The wizard detects any SIP domains you specified during setup and automatically adds them to the subject alternative name. |
Web Internal |
FQDN of the server |
Each of the following:
|
SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com Using a wildcard certificate: SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=*.contoso.com |
Internal web FQDN cannot be overwritten in Topology Builder. If you have multiple Meet simple URLs, you must include all of them as subject alternative names. Wildcard entries are supported for the simple URL entries. |
Web external |
FQDN of the server |
Each of the following:
|
SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com Using a wildcard certificate: SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=*.contoso.com |
If you have multiple Meet simple URLs, you must include all of them as subject alternative names. Wildcard entries are supported for the simple URL entries. |
Certificates for Director
| Certificate | Subject name/ Common name | Subject alternative name | Example |
|---|---|---|---|
Default |
FQDN of the Director pool |
FQDN of the Director, FQDN of the Director pool If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have). |
SN=dir-pool.contoso.com; SAN=dir-pool.contoso.com; SAN=dir01.contoso.com If this Director pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.contoso.com; SAN=sip.fabrikam.com |
Web Internal |
FQDN of the server |
Each of the following:
|
SN=dir01.contoso.com; SAN=dir01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com SN=dir01.contoso.com; SAN=dir01.contoso.com SAN=*.contoso.com |
Web external |
FQDN of the server |
Each of the following:
|
The Director external web FQDN must be different from the Front End pool or Front End Server. SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=*.contoso.com |
If you have a stand-alone A/V Conferencing Server pool, the A/V Conferencing Servers in it each need the certificates listed in the following table. If you collocate an A/V Conferencing Server with the Front End Servers, the certificates listed in the “Certificates for Front End Server in Front End Pool” table earlier in this topic are sufficient.
Certificates for Stand-alone A/V Conferencing Server
| Certificate | Subject name/ Common name | Subject alternative name | Example |
|---|---|---|---|
Default |
FQDN of the pool |
Not applicable |
SN=av-pool.contoso.com |
If you have a stand-alone Mediation Server pool, the Mediation Servers in it each need the certificates listed in the following table. If you collocate Mediation Server with the Front End Servers, the certificates listed in the “Certificates for Front End Server in Front End Pool” table earlier in this topic are sufficient.
Certificates for Stand-alone Mediation Server
| Certificate | Subject name/ Common name | Subject alternative name | Example |
|---|---|---|---|
Default |
FQDN of the pool |
FQDN of the pool FQDN of pool member server |
SN=medsvr-pool.contoso.net; SAN=medsvr-pool.contoso.net; SAN=medsvr01.contoso.net |
Certificates for Survivable Branch Appliance
| Certificate | Subject name/ Common name | Subject alternative name | Example |
|---|---|---|---|
Default |
FQDN of the appliance |
SIP.<sipdomain> (need one entry per SIP domain) |
SN=sba01.contoso.net; SAN=sip.contoso.com; SAN=sip.fabrikam.com |