Hi Lync Expert,

Our Lync SSL Certificate will be expiring next month. could you please guide me the step by step instructions on how to do the renewal? in the past, we are purchasing from Godaddy and now I have make payment for the renewal. the CSR has been submitted too and the certificate is available for download.

Thanks for your attention.

Regards,

Henry

Certificate renewal process varies by vendor; some require a complete resubmission of CSR, others permit renewal with a few simple clicks after you signed in to their web site. For GoDaddy, the former is required.

Once you received the renewed certificate (with private key), simply import it using the MMC / Certificate snap-in. A restart of the Lync services is recommended to verify functionality.

Thanks / rgds,

here is a good guide from digicert :

https://www.digicert.com/ssl-certificate-installation-lync-2013.htm

Also works by importing it using MMC as Desmond mentioned.

Not sure of which process you'll go through, as Desmond notes it varies by vendor and I forget what process GoDaddy uses.  But if you find yourself renewing it through the website, downloading it and installing it on the server and seem to be missing the private key, there' s a certutil command you can run to match the renewed cert up with the key from the previous cert.

certutil -repairstore my Serial Number

http://www.skypeadmin.com/2013/07/12/quick-tip-youve-renewed-your-lync-certificate-but-dont-have-a-private-key/

Hi Desmond,

thanks for your reply.

You mention about importing using MMC / certificate snap in after receiving the certificate with private key. may I know how to check whether the cert come with private key or not?

Thanks.

Regards,

H

Hi There,

thanks for the info about the digicert. may I know what is the different between deploying the new cert using mmc or using lync deployment wizard like those provided with digicert? which one is recommended?

from the lync deployment wizard, we need to "assign" under the "external edge certificate", which is logic because the cert must be assigned to the edge part which is allowed the lync to be accessed externally.

however from the mmc snap in, I found that previously the ssl cert is being installed at 3 locations which are under personal, intermediate certification authorities, and other people. does it mean that when I m deploying using the mmc snap in, I need to import the ssl cert to those corresponding folder?

Thanks for your attention. wish to get your advise soon.

Regards,

H

Hi,

easiest if you have it ready is to import from MMC as provided in digicert guide.

It should be imported under local computer - personal - certificates.No other folders should be needed,only personal folder.

Restart deployment tool and assign New cert.Then you will see the New cert on the list.

You have to choose the computer private cert store for the public certificate.

Intermediate is only for the intermediate cert of Godaddy.

If you import the cert, you should find the cert on the Lync deployment wizzard for the assigning of the public cert.

Be sure you have import the public cert with a private key.

Hi there,

I am getting confused here. so should I deploy with MMC or Lync deployment wizard ? or have to do both side?

Thanks.

Regards,

H

I typically import the certificate with MMC and ensure it has a private key, but you'll use the Lync deployment wizard to assign it.

Hi Anthony,

Currently I have install the cert using the digicert utility as the cert that I have downloaded from godaddy, but It doesn't have private key. I have managed to install the cert under personal.

Now, should I export the cert from the certmgr.msc-under personal, and then assign the cert using the lync deployment tool? Please advise.

thanks.

Regards,
H

You have to import the certificate that you downloaded from Godaddy in to the same server that you generated the CSR from. And i assume that you put the private key option when you generating the certificate. Without the Private Key, you cannot assign the certificate in to Edge services. And FYI, you need to import the cert from MMC to the Edge server and assign by suing the certificate wizard in Lync deployment wizard. 

Also, if you imported the renewed cert on the same server the old cert was but don't have a private key, the the certutil-repairstore command I menti above using the serial number of the new cert which can be found by double clicking it and looking at the details.

Hi Anthony,

the private key should be already in. that's because when I double clicked the cert that I installed using the digicert utility into the computer account-personal certificate, there is a message below that mention "you have private keys that correspond to this certificate" and the certificate status is "OK".

what I should do next? should I use the digicert utility to export out the certificate, which include the private key in the form of .pfx and the assign the cert using the lync deployment wizard?

Please advise again.

thanks.

Regards,

H

Ahhhh, I understand. All you need to do now is go into the deployment wizard and assign it by hitting the assign button, no need to import it as its already there.