Friday, August 15, 2014

Quick Lync Fix: Requesting Lync Certificates from Comodo

Have you recently tried requesting a certificate for your Lync environment from Comodo? If you used the Lync Certificate Wizard to generate the request, you will probably run into the same issue I did during a recent deployment - they will reject the request with a non-specific error. Why? There is currently a bug in their system that prevents them from processing the request if there are capital letters embedded in the CSR. The significance here is that when using the Lync Certificate Wizard to generate the CSR, it will maintain the case of the letters used within Topology Builder. Additionally, the Lyncdiscover and Lyncdiscoverinternal names that are automatically added through the wizard to the CSR have the first letter capitalized. Fortunately, we have a couple options to resolve this.

Option 1 - Generate the CSR via PowerShell

This process has the least number of steps, but also has some potential for errors due to manual entry of domain names. My suggestion is to use this option for new requests and to triple check your spelling. A few usage examples of this command:

Lync External Web Services:
Request-CSCertificate -New -Type WebServicesExternal -ComputerFqdn -Output “C:\Lync\LyncWebExtCSR.req” -Country US -State “Missouri” -City “Saint Louis” -FriendlyName “Lync Web External Cert” -KeySize 2048 -PrivateKeyExportable $True -Organization “Mastering MS UC” -OU “IT”

NOTE: When running this command from one of the Front End servers, the ComputerFqdn parameter is not required. By using the correct "Type", the names will be properly calculated and output in lower case. The "DomainName" parameter is not needed.

Lync Edge External:
Request-CSCertificate -New -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -ComputerFqdn -Output “C:\Lync\LyncEdgeExternalCSR.req” -Country US -State “Missouri” -City “Saint Louis” -FriendlyName “Lync Edge External Cert” -KeySize 2048 -PrivateKeyExportable $True -Organization “Mastering MS UC” -OU “IT” -DomainName “,“

NOTE: On the Edge External CSR, for some reason the "AllSipDomain" parameter does not include all of the "" names on the certificate typically used for Auto-configuration SRV records. Including the "-Type AccessEdgeExternal" also fails to include the "" names required for XMPP federation. You will want to add these names manually by using the "-DomainName" parameter in the cmdlet as shown above (if applicable).

Option 2 - Reissue an existing certificate to Comodo using the Digicert Certificate Utility

This process is a modification of the one covered by Jeff Schertz in his blog post here:

Using the process outlined by Jeff, we simple leverage the Digicert Certificate Utility to reissue an existing certificate which includes the desired names. The beauty of this method is that you get the opportunity to modify the names in the request to remove the capital letters before generating the CSR. You can then successfully submit the request to Comodo.


I have only encountered a few customers who use Comodo as their preferred public CA. However, I have started to see a trend of customers moving away from the more well-known, and generally more expensive CA providers for non-eCommerce services. So I wouldn't be surprised to see Comodo more often in the future. I find it rather odd that such a big bug would exist with a CA that has been around awhile. Hopefully they get this sorted out, but until then we'll just have to use one of the methods above for Lync CSRs.

Related articles:

No comments:

Post a Comment