How to Change the Certificate Store Used for Lync Client Certificates

  • Article

Update 3/12/18 - Clarified the options for the registry setting (HKLM or HKCU).

I've gotten this question from time to time from customers about the certificate that Lync issues to users and it showing up in the certificate picker for users.  The Lync server issues a certificate to the clients with the Client Authentication Enhanced Key Usage (EKU), so the certificate can sometimes show up in the certificate picker in Windows.  This can cause confusion for users on which certificate they should pick.  Since the certificate from Lync isn't issued from the corporate PKI environment, it's not trusted by anything other than the Lync server, so choosing it can really cause some issues:

If you open up the certificates MMC for the user and take a look at the Personal certificate store, you'll see both certificates that were shown in the certificate picker:

You can actually change the certificate store that the Lync certificate is kept in.  In order to make the change, you will need to sign out of Lync and select "Delete my sign-in info":

You can create this registry entry either under HKCU or HKLM. If you use HKCU, you will need to completely exit the client and re-open it for the change to go into effect. If you use HKLM, you will need to reboot the machine for the change to go into effect. Open the Registry Editor and navigate to:

For Lync 2013/Skype for Business 2015:

HKLM\Software\Policies\Microsoft\Office\15.0\Lync

or

HKCU\Software\Policies\Microsoft\Office\15.0\Lync

For Skype for Business 2016:

HKLM\Software\Policies\Microsoft\Office\16.0\Lync

or

HKCU\Software\Policies\Microsoft\Office\16.0\Lync

Create a new DWORD named UseLyncCertStore with a value of 1:

Sign back into the Lync client and if you now look in the Personal certificate store, you'll notice that the certificate issued by the Lync server isn't shown:

That's because there's now a new certificate store called LyncCertStore that contains the certificate:

Now when the user gets the certificate picker, only their user certificate is shown:

 

This should help to alleviate some confusion from user's on which certificate to choose.

Comments

  • Anonymous
    May 31, 2015
    excellent
    thanks
  • Anonymous
    October 13, 2015
    This also solves an issue where a Lync 2010 certificate in the users personal store causes a 'The server cannot validate the certificate' error on first launch of Lync 2013.
    Thank you.
  • Anonymous
    October 27, 2015
    Hello Doug! Does this work for Lync 2010 as well?
  • Anonymous
    October 29, 2015
    @Anuraag Kate

    Not that I'm aware of.
  • Anonymous
    November 03, 2015
    Hid Doug, do you know if this will work for Skype for Business 2016?
    I can't find that registry key for Skype for Business 2016.
  • Anonymous
    November 05, 2015
    It was not working for Lync 2010, does any one have idea about to implement it for Lync 2010 ?
  • Anonymous
    November 08, 2015
    Hi Doug - Just following up on my previous comment. I wanted to see if you had any idea how to do this for Skype for Business 2016. Any help would be greatly appreciated!
  • Anonymous
    November 19, 2015
    @Allen Stalker

    I just tried with the Skype for Business 2016 client and it still works. I placed the value in HTLMSoftwarePoliciesMicrosoftOffice16.0Lync. I didn't try with HKCU, but my guess is that it should work there as well.
  • Anonymous
    November 19, 2015
    @EUC

    I'm not aware of a way to do this with the Lync 2010 client.
  • Anonymous
    March 22, 2017
    Thank you very much! You solved my issue!
  • Anonymous
    June 08, 2017
    How about windows 10?There is no such container Lync CertStore in certmgr.msc
    • Anonymous
      June 15, 2017
      I have the LyncCertStore folder on my Windows 10 machine.
  • Anonymous
    November 03, 2017
    Hello Doug,What causes this issue and in the end getting a user certificate prompt is not ideal ? how to avoid that