Lync 2010, is a terrific piece of software that allows for simple, effective collaboration for all sizes of businesses. Unfortunately,the architecture of the application is kludged together in a half baked form. What this also means that is that the Lync team decided to support “SAN” or “UCC” certificates so they can secure multiple domains with one certificate. However, they neglected to support wildcard certificates completely. This has been somewhat resolved with the latest Cumulative Update 6 (CU6), but still a nightmare to get going.
Even with this blog post, you may find it a nightmare to get it to work. Here are the steps that worked for me. This is for a 3 server setup, two front ends, and one edge.
1) Get a good wildcard cert. The EssentialSSL Wildcard from Comodo worked for me. The PositiveSSL did NOT.
2) Get the thumbprint of the SSL.
3) Install the certificate on all the machines. Make sure its in the My Computer sectionof the Certificate Manager
4) Open the Lync Powershell.
5) For the front end pools, enter the following command
Set-CSCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <thumbprint> -Verbose -Confirm:$false -Report c:\temp\test.html
6) For the edge pools, enter the following command
Set-CSCertificate -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -Thumbprint <thumbprint> -Verbose -Confirm:$false -Report "c:\temp\test.html"
7) On all machines, create the reg dword key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"Sendtrustedissuerlist"=dword:00000000
Reboot. Check your event logs to see if it took. When I used the PositiveSSL Wildcard, it did not work -the system simply didn’t trust it. The EssentialSSL worked fine.