UCPrimer
  • Tech Blog
  • About UCPrimer.com

Renewing Certificates in Skype for Business Server 2015

1/25/2016

14 Comments

 
Picture
Coming back to the office after a the year-end holidays like most people, I found that the Skype4B clients, IP Phones and Video Endpoints were no longer able to register with the Skype4B front-end pool. Yes time does pass very quickly and certificates that were created and assigned during installation do expire. The default expiry date for default FE server certificates is 2 years. This article explores the renewal of these FE certificates to get the system back to normal.
First and foremost, the client error message displayed during sign-in was rather misleading as this error was not due to DNS records at all. I suspect this could be due to the fact that this was a Hybrid setup with some users hosted on-premise and others hosted online on Office365. A quick check on the lyncdiscover.domain.com and lyncdiscoverinternal.domain.com DNS records as well as the fallback SRV records _siptinernaltls._tcp.domain.dom were correctly pointed to the on-premise FE Pool. Users who are homed online simply get redirected to the Office365 pool after they first hit the on-premise servers. Since the error cannot be due to DNS, then we need to look into the FE server itself to find out what the issue was.
Picture
First thing that was noticed after logging into the FE server was that the Skype4B Front End service was not running on all the FE servers. Therefore there was no routing group quorum to get the entire pool running, which in this case comprised of 3 FE servers. Recall that for a FE Pool of 3 FE servers, we need all 3 FE pools to be started in order to achieve routing group quorum for the pool to be started:
Picture
At this stage, running the Deployment Wizard and running the "3. Request, Install or Assign Certificates" step clearly showed that the default certificate was missing along with the OAuth certificate:
Picture
To verify that the certificates were indeed expired, we open the certificates MMC and confirm that the default certificate had expired on 3 Jan 2016 while the oAuth cert had expired earlier on 26 Dec 2015:
Picture
To resolve this problem, we go back to the Certificate Wizard within the Deployment Wizard and select the three checkboxes under "Default certificate" and click "Request" as shown below:
Picture
This will bring up the Certificate Request page where w need to fill in the relevant details as well as select one or all of the SIP domains which we want a SAN entry for. Note that the SAN list will be automatically populated depending on the SIP domains that we select. To continue we click "Next":
Picture
The subsequent steps are pretty straightforward and we just need to click "Next" to continue the process:
Picture
Picture
Picture
Picture
Picture
Picture
Once we complete the certificate assignment, we should return to the certificate wizard and see a green check mark against the new Default FE certificate as shown below. Note the expiry date is 2 years from today:
Picture
This completes the renewal of the Default certificate on FE1. We now need to perform the same for FE2 and FE3, and since the steps are the same, we shall not repeat them again. Next, we proceed to renew the oAuth certificate for server to server communications. As shown below, on the certificate wizard, we select the OAuthTokenIssuer certificate and click "Request" to begin the process:
Picture
In the next screen, it looks similar to the previous request however note that the SAN list is fixed and cannot be changed:
Picture
The subsequent steps are also straighfoward and we just need to click "Next" to continue:
Picture
Picture
Picture
Picture
Picture
Picture
After assigning the oAuth certificate, we are returned to the Certificate Wizard and this time we see all green check marks on all certificates:
Picture
Finally, we are ready to start up the FE Pool. The easiest way to do this, instead of rebooting all 3 FE servers manually, is to open the Skype4B management shell on one of the FE servers and run the "Start-CsPool" cmdlet as shown below. The process will take several minutes and the window will display update status information of the startup process. There's no need to panic if we see any Failed messages at this stage. Simply wait for the pool to go through the startup process:
Picture
Once the startup process completes, we can see the status of all 3 FE servers as "Running" which is a good indication that everything went well and smoothly:
Picture
At this point, our Skype4B FE Pool is up and running and we can once again sign in from the Skype4B clients, IP Phones and Video Endpoints. As can be seen, renewing expired certificates on the FE Pool is not all that difficult or complicated as it may seem to be.
14 Comments
Vinicius
8/4/2016 08:53:58 am

Nice, You make me deploy a local certificate beside a public certicate... Nice step by step ... mess with my sfb deployment.

Reply
Brennon link
8/5/2016 12:05:14 am

Hi Vinicius

These steps are for renewing the internal Skype for Business certificates using an internal CA. If you are using a public certificate for your front-end servers then the steps will be slightly different.

Reply
AH
11/21/2018 04:54:37 am

No one is making you do anything here..

Reply
AH
11/21/2018 04:57:01 am

Many thanks for this.

Had an issue where both the Default certificate + OAuthTokenIssuer certs had expired. Having no experience of skype for business this helped me to get them renewed and assigned!

Reply
Yuri Costa
3/4/2020 05:42:48 am

I had a problem with certificates from lync this morning and your article helped.

Thanks a lot.

Reply
Kiki Biancatti
4/5/2020 04:06:48 pm

Hey! This helped me a lot, thanks.

Reply
E
7/20/2020 11:47:45 pm

Thanks, it's help

Reply
Baqir Abbas
10/23/2020 03:07:52 pm

You post make my day, Thanks

Reply
Kashif Saeed
6/7/2021 12:30:43 am

Hi,
Thank you for sharing a detailed step by step approach. I have deployed Edge Pool and Front End Pool. What is the process to update the certificates on both FE as well as Edge pool. Do i update the FE first and then export with private key and import on the Edge pool?

Reply
Brennon link
6/8/2021 09:46:42 pm

The certificates on FE and Edge do not share the same private key. These are independent certificates issues by usually an internal CA for FE Pool and Edge internal, and an external public CA for Edge external. You can update the certs on either Pool first, it does not really matter. You can refer to this post for additional info on Edge certs: https://www.ucprimer.com/deploying-lync2013-edge-coexistence.html

Reply
Ron Kauffman
9/5/2021 02:43:40 pm

We are still using S4B 2015, and the Internal certificates expired today. Your blog post was great in helping with renewing.

Thanks

Ron

Reply
Ally
9/15/2021 01:00:42 pm

Hi, Can you please add a procedure for renewing SSL certificates in Skype FEs and Edge servers. I got the certificates form Digicert. Thanks

Reply
Brennon link
9/24/2021 09:59:33 pm

Hi Ally

If you got your certs from Digicert, the process is slightly different. You import the certs into IIS on your FE servers, this would complete the CSR process where your FE servers will now have both the public and private keys. After successfully importing the certs into IIS, then simple run the SFB Certificate Wizard and select the newly imported certs. Then restart the pool and you should be good to go!

Reply
Jamie
11/23/2021 07:35:20 am

Just letting you know the SOP is still helping people. I have a closed, stand-alone system that I run for work, though I'm not technically the IT person for it. I couldn't get Skype to work, until I figured out it was an expired certificate. Following your steps, I was able to renew the cert and now everything's working. Thanks!

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies