With all of the improvements that has happened within the deployment process for Lync Server 2010/2013 interestingly certificates is still listed as the #1 issue but personally I almost never see those issues. Well, today’s quick tip is one of those certificate issues that I had not yet seen but certainly isn’t “normal”.
Someone CNG’ed my Cert
The issue was clear. Upon trying to assign the certificate to my front-end pool I was met with this error:
A quick search told me the issue was certificate related. At first I thought the issue was with the fact that this certificate didn’t match all of the names Lync thought should be on the certificate (there is a SIP domain that isn’t going to be used but of course lyncdiscover.thatdomain.com shows up on the desired cert list). So after verifying that wasn’t our problem I started hunting around.
I remembered this blog post from Pat Richard about being unable to download the address book. I won’t rehash the entire post, you should read it, but essentially the issue is that newer CA’s issue certs with CNG or Cryptography Next Generation. His looks like it’s a Lync 2010 deployment so maybe that is why he was able to apply this cert and I wasn’t. Not sure on that one. Pat details that if you run this command:
certutil -v -store my “18 3b 41 c3 00 01 00 00 1f 9b”
Where “18 3b 41 c3 00 01 00 00 1f 9b” is the serial number of your certificate that you will get back the detailed information about the certificate. It will dump a bunch to the screen but you are looking for:
The last line is the one you care about, KeySpec. If the certificate has CNG this field will be blank is will fail when attempting to assign to Lync Services. If the cert doesn’t have CNG (and therefore is usable) it will have KeySpec = 1 –AT_KEYEXCHANGE as a value.
Change That Cert
So the issue has been found. The solution could be easy. Simply reissue the certificate. The problem here is in some organizations a reissue of a certificate can take a VERY LONG TIME! So my goal was to change the certificate without having to reissue. This is where OpenSSL comes in.
These steps will essentially remove the CNG (crypto folks will hate I just made it sound so trivia).
1. Download and install OpenSSL to your computer. It’s a powerful package so you should have it anyways.
2. Export your certificate with private key. This can be done via the MMC | Certificates. If you didn’t mark your cert as exportable when you issued it you have committed the first sin of Lync Deployments. Always mark your certs as exportable.
3. Convert the cert to PEM. Open up CMD and browse to the OpenSSL install directory.
openssl.exe pkcs12 -in lynccert.pfx -out lynccert.pem -nodes
It will prompt you for your private key password.
4. Convert the PEM back to PFX.
openssl.exe pkcs12 -export -in lynccert.pem -out lynccert_no_cng.pfx
It will again ask for a password in this process.
At this point in time, you can go back to the MMC, delete the old certificate with CNG and import in your newly “converted” certificate. Hope that helps someone else along the way.