Request/Renewing Skype for Business Server 2015 Certificates

Here are the steps to request or renew certificates in Skype for Business Server 2015.

Most of the steps are similar to Lync Server 2010/2013, so to start let's go to the well-known Deployment Wizard Step 3 and click Run or Run Again (depending on if you are requesting for the first time or renewing the certificates).

skype4b-reqcert01

Now, in Certificate Wizard, we select the proper certificate and then click Request:

skype4b-reqcert02

The Certificate Request wizard will open and we can notice that this user interface changed from Lync Server 2010/2013. Now we have all the basic information to request a certificate consolidated in a single window:

skype4b-reqcert03

Note: In the Edge Server, the certificate request is the same as in Lync Server 2010/2013, therefore we don't have the new consolidated view.

We can use the Advanced mode (also known as old Lync Server 2013 mode), in case we need to specify one of the following settings:

  • Create an Offline Request

skype4b-reqcert04

  • Specify another CA

skype4b-reqcert05

  • Specify different CA credentials

skype4b-reqcert06

  • Use a different Certificate Template

skype4b-reqcert07

  • Change key bit length and/or Mark the certificate private key as exportable

skype4b-reqcert08

  • Add additional SAN names

skype4b-reqcert09

After that, we will return to the initial Certificate Request screen. Don’t forget to select the SIP Domains served by this server:

skype4b-reqcert10

In the next screen, check if all the details are correct:

skype4b-reqcert11

If the certificate request is successful, we get Task status: Completed:

skype4b-reqcert12

Continuing with our request, select the Assign this certificate to Skype for Business Server certificate usages option:

skype4b-reqcert13

Note: Before requesting a new certificate, we need to make sure that the Root CA certificate is installed in the Trusted Root Certification Authorities under the Local Computer Certificate Store:

skype4b-reqcert14

The Certificate Assignment wizard will be launched, and we can view the details or continue:

skype4b-reqcert15

Before assigning the certificate, we need to verify the details:

skype4b-reqcert16

Task status: Completed confirms that the certificate was correctly assigned:

skype4b-reqcert17

We have just assigned the new certificate, so all we need now is to restart the services on the Front End. In case we have a Front End Enterprise Pool, keep in mind that we need to check if there are enough Front End servers running before restarting the services. In order to do this, simply use the Get-CsUpdatePoolReadiness.

Finally, if there are enough Front End servers to keep the pool running, we can proceed and restart the services with the following cmdlets:

Stop-CsWindowsService
Start-CsWindowsService

Comments

  • Anonymous
    January 01, 2003
    You will need to create a template based on Web Server and use it to request the Skype4B certificates. You can use a different certificate template by using the Advanced Mode.
  • Anonymous
    May 17, 2015
    The comment has been removed
  • Anonymous
    May 28, 2015
    I have been using custom certificate template such as web server template my question is : What is maximum validity period for internal skype certificate ? 5 or 10 years ? thanks
  • Anonymous
    June 04, 2015
    I recommend to use 5 years because we get a warning when we assign a certificate that is valid for more than 5 years, .
  • Anonymous
    June 04, 2015
    Thank you for the awesome article. If you are renewing a third party ssl cert, I would imagine the process is the same up until I generate the request. I would till need to get the cert signed by digicert before i assign correct?
  • Anonymous
    June 05, 2015
    If you are renewing the Front End certificates you need to use the Advanced Mode and select "Prepare the request now, but send it later". The process in Edge Servers is similar to Lync Server 2010/2013.
  • Anonymous
    June 05, 2015
    Thank you David!
  • Anonymous
    October 21, 2015
    Hi There,If we are renewing the SSL as a wilcard for use with exchange, can this simply be added to the Skype for Business server without requested a new cert?Or if it wasn't a wildcard could we just add the SAN names to an existing 3rd party SSL and apply to the Skype server
  • Anonymous
    March 13, 2016
    The comment has been removed
    • Anonymous
      March 14, 2016
      The comment has been removed
  • Anonymous
    May 12, 2017
    Is it possible to use the Skype Certificate Wizard (Skype for business 2015) to request ECC certificates? Seems the wizard only is made for RSA 1024 2048 4096 key lenght.
    • Anonymous
      May 12, 2017
      You will need to use PowerShell, by default the wizard use RSA.
  • Anonymous
    July 19, 2017
    Is renewing the Skype 2015 Office Web App Server certificate any different? We have a vague memory of having to uninstall & reinstall the Office Web App role.
    • Anonymous
      July 31, 2017
      Same as before, you need to use the Set-OfficeWebappsFarm -CertificateName with the new cert.