Lync 2010 with WildCard Certificates

Lync 2010, is a terrific piece of software that allows for simple, effective collaboration for all sizes of businesses. Unfortunately,the architecture of the application is kludged together in a half baked form. What this also means that is that the Lync team decided to support “SAN” or “UCC” certificates so they can secure multiple domains with one certificate. However, they neglected to support wildcard certificates completely. This has been somewhat resolved with the latest Cumulative Update 6 (CU6), but still a nightmare to get going.

Even with this blog post, you may find it a nightmare to get it to work. Here are the steps that worked for me. This is for a 3 server setup, two front ends, and one edge.

1) Get a good wildcard cert. The EssentialSSL Wildcard from Comodo worked for me. The PositiveSSL did NOT.

2) Get the thumbprint of the SSL.

3) Install the certificate on all the machines. Make sure its in the My Computer sectionof the Certificate Manager

4) Open the Lync Powershell.

5) For the front end pools, enter the following command
Set-CSCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <thumbprint> -Verbose -Confirm:$false -Report c:\temp\test.html

6) For the edge pools, enter the following command
Set-CSCertificate -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -Thumbprint <thumbprint> -Verbose -Confirm:$false -Report "c:\temp\test.html"

7) On all machines, create the reg dword key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"Sendtrustedissuerlist"=dword:00000000

Reboot. Check your event logs to see if it took. When I used the PositiveSSL Wildcard, it did not work -the system simply didn’t trust it. The EssentialSSL worked fine.

2 Replies to “Lync 2010 with WildCard Certificates”

  1. I just wanted to throw in my 2 cents in on this discussion. I know people in general have issues when installing ssl certificates for openssl, so I looked around and found a tool that makes installing ssl certs on apache a snap. Check it out at http://tools.ssl.com. Good luck with your ssl installs!

  2. I just had to comment on your post. I used your steps to update to a wildcard cert back in March of this year and it worked flawlessly. I did not use Step 7 as I did not need to. My organization uses GoDaddy for the wildcard cert and we did not have any issues. I had to renew my cert again last night and followed the steps again and another successful renewal. I want to thank you for posting this solution, I searched for a long time for using a wildcard cert with Lync 2010 and found nothing until I found your post. This saved me hours of work and money on renewing certs we did not need.

Leave a Reply

Your email address will not be published. Required fields are marked *

*