Option 1 - Generate the CSR via PowerShell
Lync External Web Services:
Request-CSCertificate -New -Type WebServicesExternal -ComputerFqdn fe01.domain.com -Output “C:\Lync\LyncWebExtCSR.req” -Country US -State “Missouri” -City “Saint Louis” -FriendlyName “Lync Web External Cert” -KeySize 2048 -PrivateKeyExportable $True -Organization “Mastering MS UC” -OU “IT”
NOTE: When running this command from one of the Front End servers, the ComputerFqdn parameter is not required. By using the correct "Type", the names will be properly calculated and output in lower case. The "DomainName" parameter is not needed.
Lync Edge External:
Request-CSCertificate -New -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -ComputerFqdn edge01.domain.com -Output “C:\Lync\LyncEdgeExternalCSR.req” -Country US -State “Missouri” -City “Saint Louis” -FriendlyName “Lync Edge External Cert” -KeySize 2048 -PrivateKeyExportable $True -Organization “Mastering MS UC” -OU “IT” -DomainName “sip.domain.com, domain.com“
NOTE: On the Edge External CSR, for some reason the "AllSipDomain" parameter does not include all of the "sip.domain.com" names on the certificate typically used for Auto-configuration SRV records. Including the "-Type AccessEdgeExternal" also fails to include the "domain.com" names required for XMPP federation. You will want to add these names manually by using the "-DomainName" parameter in the cmdlet as shown above (if applicable).
Option 2 - Reissue an existing certificate to Comodo using the Digicert Certificate Utility
This process is a modification of the one covered by Jeff Schertz in his blog post here:
Using the process outlined by Jeff, we simple leverage the Digicert Certificate Utility to reissue an existing certificate which includes the desired names. The beauty of this method is that you get the opportunity to modify the names in the request to remove the capital letters before generating the CSR. You can then successfully submit the request to Comodo.
I have only encountered a few customers who use Comodo as their preferred public CA. However, I have started to see a trend of customers moving away from the more well-known, and generally more expensive CA providers for non-eCommerce services. So I wouldn't be surprised to see Comodo more often in the future. I find it rather odd that such a big bug would exist with a CA that has been around awhile. Hopefully they get this sorted out, but until then we'll just have to use one of the methods above for Lync CSRs.