10. Create Certificates
Like all other roles in Lync Server, the
Mediation Server communicates with other servers in the organization
using Mutual Transport Layer Security (MTLS). To leverage MTLS, the
Mediation Servers will need at least one certificate installed that
meets a few requirements. A single certificate meeting these
requirements can be used:
• The subject name should contain the pool’s fully qualified domain name (FQDN).
• The server name should be included as a subject alternative name.
Note
The Certificate Wizard in Lync Server 2013
will automatically populate the subject name and any required subject
alternative names based on the published topology, which greatly
simplifies certificate confusion created by prior versions.
Follow these steps to request and assign the necessary certificates:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight the Default certificate and click the Request button to start the Certificate Request Wizard.
3. Click Next to continue.
4. Select either an
online certificate request and certificate authority, or an offline
certificate request and file path for the request. Click Next.
Note
The following steps here assume that an internal certificate authority is used to generate the request.
5. If user credentials
other than the logged-on user are required to create the certificate
request, check the box Specify Alternate Credentials for the
Certification Authority. Enter a username and password and click Next.
This is typically used in large environments where the Lync
administrator does not have rights to request certificates.
6. If the default
WebServer template will not be used, check the box Use Alternate
Certificate Template for the Selected Certification Authority and enter
the certificate template name. The template name, not the template
display name, should be entered here. The template should already be
published and available on the certificate authority issuing the
certificate. In most cases the default WebServer template will be
sufficient and there is no need to check this box.
7. Enter a friendly name for the certificate for identification purposes.
8. Select a key bit length of either 2048 or 4096.
9. If the certificate
should be exportable, select the check box Mark Certificate Private Key
as Exportable. This should be selected for Mediation Server Pools with
multiple members, so the same certificate can be installed on each pool
member.
10. Enter an organization name, typically the name of the business.
11. Enter an organizational name, typically the name of a division or department, and click Next.
12. Select a country, enter a state or province, enter a city or locality, and click Next.
13. Review the automatically populated subject name and subject alternative names. Click Next.
14. Review the certificate request summary screen for accuracy and when satisfied click Next.
15. The Lync
Management Shell commands are displayed and the user can optionally
review the certificate request log. Unless the request failed, this is
not necessary. Click Next.
16. Leave the Assign
This Certificate to Lync Server Certificate Usages check box selected
to skip straight to the Certificate Assignment Wizard. Click Finish to
complete the request process.
Note
It might not seem intuitive, but to process a
response to an offline certificate request, use the Import Certificate
button found at the bottom of the Certificate Wizard. If a request to
an online certificate authority is in a pending state, the Process
Pending Certificates button will be available to complete those
requests.
Certificates issued from an online
certificate authority will be installed automatically. If an offline
request was performed, first copy the certificate authority response to
the server. Then use the Import Certificate button found at the bottom
of the wizard to complete the process. Follow these steps to import the
completed request:
1. Click Browse and select the certificate authority response.
2. Uncheck the Certificate File Contains the Certificate’s Private Key check box. Click Next.
3. Review the import certificate summary and click Next.
4. Click Finish to complete the process of associating the private key and certificate authority response.
11. Assign Certificates
After creating the necessary certificates,
the Mediation Server services must have certificates assigned to them.
To assign a certificate, follow these steps:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight the Default certificate and click the Assign button to start the Certificate Request Wizard.
3. Click Next to continue.
4. Select the
certificate to be assigned and click Next. It’s possible to view each
certificate in more detail by highlighting it and clicking the View
Certificate Details button.
Note
If a certificate is not available on this
screen, that usually means a private key is not associated with the
certificate. Be sure to complete any pending or offline requests before
this step.
5. Click Next on the Certificate Assignment Summary screen.
6. The Lync Management
Shell commands is displayed and the user can optionally review the
certificate request log. Unless the request failed, this is not
necessary. Click Next.
7. Click Finish to complete the wizard.
12. Start Services
After the necessary certificates have been
requested and assigned, the Lync Server 2013 Mediation Server services
can be started:
1. Beneath Step 4: Start Services, click the Run button.
2. Click Next to begin starting all the Lync Server services.
3. Click Finish to complete the wizard.
The wizard does not actually wait for the services to complete startup. Use the Services MMC to view the actual service state.
At this point the Mediation Server installation is complete and it should be functional.
