Jul 18, 2017 How to Generate a CSR for Lync Server 2013. In Windows start menu, click on the Lync Deployment Wizard icon; Click on the Install or Update Lync Server system; Click Run on the Request, Install, or Assign certificates step; Click on Request button to create CSR; Click on the Next button.
-->Topic Last Modified: 2013-03-17
To successfully complete this procedure you should be logged on as a user who is a member of the RTCUniversalServerAdmins group or have the correct permissions delegated. For details about delegating permissions, see Delegate setup permissions in Lync Server 2013. Depending on your organization and requirements for requesting certificates, you may require other group memberships. Consult with the group that manages your public key infrastructure (PKI) certification authority (CA).
Note
Google Play gift card generator is the simplest way to generate free Google Play gift cards. This generator produces free Google Play codes online, and it is easy to use. The best thing about this generator is it does not require to complete any survey like other generators. Thanks to the well-experienced developer team. Google play gift card generator license key.
Lync Server 2013 includes support for the SHA-2 suite (SHA-2 uses digest lengths of 224, 256, 384 or 512 bits) of digest hash and signing algorithms for connections from clients running the Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, or Windows XP operating systems, in addition to Lync Phone Edition. To support external access using the SHA-2 suite, the external certificate is issued by a public CA that also can issue a certificate with the same bit length digest.
Warning
The selection of which hash digest and signing algorithm is dependent on the clients and the servers that will use the certificate, and other computers and devices that clients and servers will communicate with who must also know how to use the algorithms used in the certificate. For information on which digest lengths are supported in the operating system and some client applications, seehttps://go.microsoft.com/fwlink/?LinkId=287002.
Each Standard Edition server or Front End Server requires up to four certificates: the oAuthTokenIssuer certificate, a default certificate, a web internal certificate, and a web external certificate. However, it is possible to request and assign a single default certificate with appropriate subject alternative name entries as well as the oAuthTokenIssuer certificate. For details about the certificate requirements, see Certificate requirements for internal servers in Lync Server 2013. For details about requesting, assigning and installing the oAuthTokenIssuer certificate, see Managing server-to-server authentication (OAuth) and partner applications in Lync Server 2013
Use the following procedure to request, assign, and install the Standard Edition server or Front End Server certificates. Repeat the procedure for each Front End Server.
Important
The following procedure describes how to configure certificates from an internal enterprise PKI deployed by your organization and with offline request processing. For information about obtaining certificates from a public CA, see Certificate requirements for internal servers in Lync Server 2013 in the Planning documentation. Also, this procedure describes how to request, assign, and install certificates during set up of the Front End Server. If you requested certificates in advance, as described in the Request certificates in advance (optional) for Lync Server 2013 section of this Deployment documentation, or you do not use an internal enterprise PKI deployed in your organization to obtain certificates, you must modify this procedure as appropriate.
To configure certificates for a Front End Server
- In the Lync Server Deployment Wizard, click Run next to Step 3: Request, Install or Assign Certificates.
- On the Certificate Wizard page, click Request.
- On the Certificate Request page, click Next.
- On the Delayed or Immediate Requests page, you can accept the default Send the request immediately to an online certification authority option by clicking Next. The internal CA with automatic online enrollment must be available if you select this option. If you choose the option to delay the request, you will be prompted for a name and location to save the certificate request file. The certificate request must be presented and processed by a CA either inside your organization, or by a public CA. You will then need to import the certificate response and assign it to the proper certificate role.
- On the Choose a Certificate Authority (CA) page, select the Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list. Or, select the Specify another certification authority option, enter the name of another CA in the box, and then click Next.
- On the Certificate Authority Account page, you are prompted for credentials to request and process the certificate request at the CA. You should have determined if a user name and password is necessary to request a certificate in advance. Your CA administrator will have the required information and may have to assist you in this step. If you need to supply alternate credentials, select the check box, provide a user name and password in the text boxes, and then click Next.
- On the Specify Alternate Certificate Template page, to use the default Web Server template, click Next.NoteIf your organization has created a template for use as an alternative for the default Web server CA template, select the check box, and then enter the name of the alternate template. You will need the template name as defined by the CA administrator.
- On the Name and Security Settings page, specify a Friendly Name that should allow you to identify the certificate and purpose. If you leave it blank, a name will be generated automatically. Set the Bit length of the key, or accept the default of 2048 bits. Select the Mark the certificate’s private key as exportable if you determine that the certificate and private key needs to be moved or copied to other systems, and then click Next.NoteLync Server 2013 has minimal requirements for an exportable private key. One such place is on the Edge Servers in a pool, where the Media Relay Authentication Service uses copies of the certificate, rather than individual certificates for each instance in the pool.
- On the Organization Information page, optionally provide organization information, and then click Next.
- On the Geographical Information page, optionally provide geographical information, and then click Next.
- On the Subject Name / Subject Alternate Names page, review the subject alternative names that will be added, and then click Next.
- On the SIP Domain setting page, select the SIP Domain, and then click Next.
- On the Configure Additional Subject Alternate Names page, add any additional required subject alternative names, including any that might be required for additional SIP domains in the future, and then click Next.
- On the Certificate Request Summary page, review the information in the summary. If the information is correct, click Next. If you need to correct or modify a setting, click Back to the proper page to make the correction or modification.
- On the Executing Commands page, click Next.
- On the Online Certificate Request Status page, review the information returned. You should note that the certificate was issued and installed into the local certificate store. If it is reported as having been issued and installed, but is not valid, make sure that the CA root certificate has been installed in the server’s Trusted Root CA store. Refer to your CA documentation on how to retrieve a Trusted Root CA certificate. If you need to view the retrieved certificate, click View Certificate Details. By default, the check box for Assign the certificate to Lync Server certificate usages is checked. If you want to manually assign the certificate, clear the check box, and then click Finish.
- If you cleared the check box for Assign the certificate to Lync Server certificate usages on the previous page, you will be presented with the Certificate Assignment page. Click Next.
- On the Certificate Store page, select the certificate that you requested. If you want to view the certificate, click View Certificate Details, and then click Next to continue.NoteIf the Online Certificate Request Status page reported an issue with the certificate, such as the certificate not being valid, viewing the actual certificate can assist in resolving the issue. Two specific issues that can cause a certificate to not be valid is the previously mentioned missing Trusted Root CA certificate, and a missing private key that is associated with the certificate. Refer to your CA documentation to resolve these two issues.
- On the Certificate Assignment Summary page, review the information presented to make sure that this is the certificate that should be assigned, and then click Next.
- On the Executing Commands page, review the output of the command. Click View Log if you want to review the assignment process or if there was an error or warning issued. When you are finished with your review, click Finish.
- On the Certificate Wizard page, verify that the Status of the certificate is “Assigned,” and then click Close.
See Also
-->Intune supports the use of private and public key pair (PKCS) certificates. This article can help you configure the required infrastructure like on-premises certificate connectors, export a PKCS certificate, and then add the certificate to an Intune device configuration profile.
Microsoft Intune includes built-in settings to use PKCS certificates for access and authentication to your organizations resources. Certificates authenticate and secure access to your corporate resources like a VPN or a WiFi network. You deploy these settings to devices using device configuration profiles in Intune.
For information about using imported PKCS certificates, see Imported PFX Certificates.
Requirements
To use PKCS certificates with Intune, you'll need the following infrastructure:
Generate Microsoft Lync Private Key West
- Active Directory domain:
All servers listed in this section must be joined to your Active Directory domain.For more information about installing and configuring Active Directory Domain Services (AD DS), see AD DS Design and Planning. - Certification Authority:
An Enterprise Certification Authority (CA).For information on installing and configuring Active Directory Certificate Services (AD CS), see Active Directory Certificate Services Step-by-Step Guide.WarningIntune requires you to run AD CS with an Enterprise Certification Authority (CA), not a Standalone CA. - A client:
To connect to the Enterprise CA. - Root certificate:
An exported copy of your root certificate from your Enterprise CA. - Microsoft Intune Certificate Connector (also called the NDES Certificate Connector):
In the Intune portal, go to Device configuration > Certificate Connectors > Add, and follow the Steps to install the connector for PKCS #12. Use the download link in the portal to start download of the certificate connector installer NDESConnectorSetup.exe.Intune supports up to 100 instances of this connector per tenant. Each instance of the connecter must be on a separate Windows server. You can install an instance of this connector on the same server as an instance of the PFX Certificate Connector for Microsoft Intune. When you use multiple connectors, the connector infrastructure supports high availability and load balancing as any available connector instance can process your PKCS certificate requests.This connector processes PKCS certificate requests used for authentication or S/MIME email signing.The Microsoft Intune Certificate Connector also supports Federal Information Processing Standard (FIPS) mode. FIPS isn't required, but you can issue and revoke certificates when it's enabled. - PFX Certificate Connector for Microsoft Intune:
If you plan to use S/MIME email encryption, use the Intune portal to download the PFX Certificate Connector that supports import of PFX certificates. Go to Device configuration > Certificate Connectors > Add, and follow the Steps to install connector for Imported PFX certificates. Use the download link in the portal to start download of the installer PfxCertificateConnectorBootstrapper.exe.Each Intune tenant supports a single instance of this connector. You can install this connector on the same server as an instance of the Microsoft Intune Certificate connector.This connector handles requests for PFX files imported to Intune for S/MIME email encryption for a specific user.This connector can automatically update itself when new versions become available. To use the update capability, you must:- Install the PFX Certificate Connector for Microsoft Intune on your server.
- To automatically receive important updates, ensure firewalls are open that allow the connector to contact autoupdate.msappproxy.net on port 443.
For more information, see Network endpoints for Microsoft Intune, and Intune network configuration requirements and bandwidth. - Windows Server:
Use a Windows Server to host:- Microsoft Intune Certificate Connector - for authentication and S/MIME email signing scenarios
- PFX Certificate Connector for Microsoft Intune - for S/MIME email encryption scenarios.
The connectors require access to the same ports as detailed for managed devices, as found in our device endpoint content.Intune supports install of the PFX Certificate Connector on the same server as the Microsoft Intune Certificate Connector.
Export the root certificate from the Enterprise CA
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate. The following steps explain how to get the required certificate from your Enterprise CA.
Use a command line:
- Log into the Root Certification Authority server with Administrator Account.
- Go to Start > Run, and then enter Cmd to open command prompt.
- Specify certutil -ca.cert ca_name.cer to export the Root certificate as a file named ca_name.cer.
Configure certificate templates on the CA
- Sign in to your Enterprise CA with an account that has administrative privileges.
- Open the Certification Authority console, right-click Certificate Templates, and select Manage.
- Find the User certificate template, right-click it, and choose Duplicate Template to open Properties of New Template.NoteFor S/MIME email signing and encryption scenarios, many administrators use separate certificates for signing and encryption. If you're using Microsoft Active Directory Certificate Services, you can use the Exchange Signature Only template for S/MIME email signing certificates, and the Exchange User template for S/MIME encryption certificates. If you're using a 3rd-party certification authority, it's suggested to review their guidance to set up signing and encryption templates.
- On the Compatibility tab:
- Set Certification Authority to Windows Server 2008 R2
- Set Certificate recipient to Windows 7 / Server 2008 R2
- On the General tab, set Template display name to something meaningful to you.WarningTemplate name by default is the same as Template display name with no spaces. Note the template name, you need it later.
- In Request Handling, select Allow private key to be exported.
- In Cryptography, confirm that the Minimum key size is set to 2048.
- In Subject Name, choose Supply in the request.
- In Extensions, confirm that you see Encrypting File System, Secure Email, and Client Authentication under Application Policies.ImportantFor iOS/iPadOS certificate templates, go to the Extensions tab, update Key Usage, and confirm that Signature is proof of origin isn't selected.
- In Security, add the Computer Account for the server where you install the Microsoft Intune Certificate Connector. Allow this account Read and Enroll permissions.
- Select Apply > OK to save the certificate template. Close the Certificate Templates Console.
- In the Certification Authority console, right-click Certificate Templates > New > Certificate Template to Issue. Choose the template that you created in the previous steps. Select OK.
- For the server to manage certificates for enrolled devices and users, use the following steps:
- Right-click the Certification Authority, choose Properties.
- On the security tab, add the Computer account of the server where you run the connectors (Microsoft Intune Certificate Connector or PFX Certificate Connector for Microsoft Intune).
- Grant Issue and Manage Certificates and Request Certificates Allow permissions to the computer account.
- Sign out of the Enterprise CA.
Download, install, and configure the Microsoft Intune Certificate Connector
Important
The Microsoft Intune Certificate Connector cannot be installed on the issuing Certificate Authority (CA), and instead must be installed on a separate Windows server.
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Tenant administration > Connectors and tokens > Certificate connectors > + Add.
- Click Download the certificate connector software for the connector for PKCS #12, and save the file to a location you can access from the server where you're going to install the connector.
- After the download completes, sign in to the server. Then:
- Be sure .NET 4.5 Framework or higher is installed, as it's required by the NDES Certificate connector. .NET 4.5 Framework is automatically included with Windows Server 2012 R2 and newer versions.
- Run the installer (NDESConnectorSetup.exe), and accept the default location. It installs the connector to
Program FilesMicrosoft IntuneNDESConnectorUI
. In Installer Options, select PFX Distribution. Continue and complete the installation. - By default, the connector service runs under the local system account. If a proxy is required to access the internet, confirm that the local service account can access the proxy settings on the server.
- The Microsoft Intune Certificate Connector opens the Enrollment tab. To enable the connection to Intune, Sign In, and enter an account with global administrative permissions.
- On the Advanced tab, it's recommended to leave Use this computer's SYSTEM account (default) selected.
- Apply > Close
- Go back to the Intune portal (Intune > Device Configuration > Certification Connectors). After a few moments, a green check mark is shown, and the Connection status is Active. Your connector server can now communicate with Intune.
- If you have a web proxy in your networking environment, you might need additional configurations to enable the connector to work. For more information, see Work with existing on-premises proxy servers in the Azure Active Directory documentation.
- Android Enterprise (Work Profile)
- iOS
- macOS
- Windows 10 and later
Note
The Microsoft Intune Certificate Connector supports TLS 1.2. If TLS 1.2 is installed on the server that hosts the Connector, the connector uses TLS 1.2. Otherwise, TLS 1.1 is used. Currently, TLS 1.1 is used for authentication between the devices and server.
Create a trusted certificate profile
- Sign in to the Microsoft Endpoint Manager admin center.
- Select and go to Devices > Configuration profiles > Create profile.
- Enter the following properties:
- Platform: Choose the platform of the devices that will receive this profile.
- Profile: Select Trusted certificate
- Select Create.
- In Basics, enter the following properties:
- Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is Trusted certificate profile for entire company.
- Description: Enter a description for the profile. This setting is optional, but recommended.
- Select Next.
- In Configuration settings, specify the .cer file Root CA Certificate you previously exported.NoteDepending on the platform you chose in Step 3, you may or may not have an option to choose the Destination store for the certificate.
- Select Next.
- In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as
US-NC IT Team
orJohnGlenn_ITDepartment
. For more information about scope tags, see Use RBAC and scope tags for distributed IT.Select Next. - In Assignments, select the user or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.Select Next.
- (Applies to Windows 10 only) In Applicability Rules, specify applicability rules to refine the assignment of this profile. You can choose to assign or not assign the profile based on the OS edition or version of a device.
For more information, see Applicability rules in Create a device profile in Microsoft Intune.
- In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Create a PKCS certificate profile
- Sign in to the Microsoft Endpoint Manager admin center.
- Select and go to Devices > Configuration profiles > Create profile.
- Enter the following properties:
- Platform: Choose the platform of your devices. Your options:
- Android device administrator
- Android Enterprise > Device owner only
- Android Enterprise > Work profile only
- iOS/iPadOS
- macOS
- Windows 10 and later
- Profile: Select PKCS certificate
NoteOn devices with an Android Enterprise profile, certificates installed using a PKCS certificate profile are not visible on the device. To confirm successful certificate deployment, check the status of the profile in the Intune console. - Platform: Choose the platform of your devices. Your options:
- Select Create.
- In Basics, enter the following properties:
- Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is PKCS profile for entire company.
- Description: Enter a description for the profile. This setting is optional, but recommended.
- Select Next.
- In Configuration settings, depending on the platform you chose, the settings you can configure are different. Select your platform for detailed settings:-Android device administrator-Android Enterprise-iOS/iPadOS-Windows 10
Setting Platform Details Renewal threshold (%) - All
Recommended is 20% Certificate validity period - All
If you didn't change the certificate template, this option may be set to one year. Key storage provider (KSP) - Windows 10
For Windows, select where to store the keys on the device. Certification authority - All
Displays the internal fully qualified domain name (FQDN) of your Enterprise CA. Certification authority name - All
Lists the name of your Enterprise CA, such as 'Contoso Certification Authority'. Certificate template name - All
Lists the name of your certificate template. Certificate type - Android Enterprise (Work Profile)
- iOS
- macOS
- Windows 10 and later
Select a type: - User certificates can contain both user and device attributes in the subject and SAN of the certificate.
- Device certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.
This selection affects the Subject name format.
Subject name format - All
For details on how to configure the subject name format, see Subject name format later in this article.
For most platforms, use the Common name option unless otherwise required.
For the following platforms, the Subject name format is determined by the certificate type:- Android Enterprise (Work Profile)
- iOS
- macOS
- Windows 10 and later
Subject alternative name - All
For Attribute, select User principal name (UPN) unless otherwise required, configure a corresponding Value, and then click Add.
For more information, see Subject name format later in this article.Extended key usage - Android device administrator
- Android Enterprise (Device Owner, Work Profile)
- Windows 10
Certificates usually require Client Authentication so that the user or device can authenticate to a server. Allow all apps access to private key - macOS
Set to Enable to give apps that are configured for the associated mac device access to the PKCS certificates private key.
For more information on this setting, see AllowAllAppsAccess the Certificate Payload section of Configuration Profile Reference in the Apple developer documentation.Root Certificate - Android device administrator
- Android Enterprise (Device Owner, Work Profile)
Select a root CA certificate profile that was previously assigned. - Select Next.
- In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as
US-NC IT Team
orJohnGlenn_ITDepartment
. For more information about scope tags, see Use RBAC and scope tags for distributed IT.Select Next. - In Assignments, select the user or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.Select Next.
- In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Subject name format
When you create a PKCS certificate profile for the following platforms, options for the subject name format depend on the Certificate type you select, either User or Device.
Platforms:
- Android Enterprise (Work Profile)
- iOS
- macOS
- Windows 10 and later
Note
There is a known issue for using PKCS to get certificates which is the same issue as seen for SCEP when the subject name in the resulting Certificate Signing Request (CSR) includes one of the following characters as an escaped character (proceeded by a backslash ):
- +
- ;
- ,
- =
- User certificate type
Format options for the Subject name format include two variables: Common Name (CN) and Email (E). Common Name (CN) can be set to any of the following variables:- CN={{UserName}}: The user principal name of the user, such as [email protected].
- CN={{AAD_Device_ID}}: An ID assigned when you register a device in Azure Active Directory (AD). This ID is typically used to authenticate with Azure AD.
- CN={{SERIALNUMBER}}: The unique serial number (SN) typically used by the manufacturer to identify a device.
- CN={{IMEINumber}}: The International Mobile Equipment Identity (IMEI) unique number used to identify a mobile phone.
- CN={{OnPrem_Distinguished_Name}}: A sequence of relative distinguished names separated by comma, such as CN=Jane Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=com.To use the {{OnPrem_Distinguished_Name}} variable, be sure to sync the onpremisesdistinguishedname user attribute using Azure AD Connect to your Azure AD.
- CN={{onPremisesSamAccountName}}: Admins can sync the samAccountName attribute from Active Directory to Azure AD using Azure AD connect into an attribute called onPremisesSamAccountName. Intune can substitute that variable as part of a certificate issuance request in the subject of a certificate. The samAccountName attribute is the user sign-in name used to support clients and servers from a previous version of Windows (pre-Windows 2000). The user sign-in name format is: DomainNametestUser, or only testUser.To use the {{onPremisesSamAccountName}} variable, be sure to sync the onPremisesSamAccountName user attribute using Azure AD Connect to your Azure AD.
By using a combination of one or many of these variables and static strings, you can create a custom subject name format, such as:- CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US
That example includes a subject name format that uses the CN and E variables, and strings for Organizational Unit, Organization, Location, State, and Country values. CertStrToName function describes this function, and its supported strings. - Device certificate type
Format options for the Subject name format include the following variables:- {{AAD_Device_ID}}
- {{Device_Serial}}
- {{Device_IMEI}}
- {{SerialNumber}}
- {{IMEINumber}}
- {{AzureADDeviceId}}
- {{WiFiMacAddress}}
- {{IMEI}}
- {{DeviceName}}
- {{FullyQualifiedDomainName}}(Only applicable for Windows and domain-joined devices)
- {{MEID}}
You can specify these variables, followed by the text for the variable, in the textbox. For example, the common name for a device named Device1 can be added as CN={{DeviceName}}Device1.Important- When you specify a variable, enclose the variable name in curly brackets { } as seen in the example, to avoid an error.
- Device properties used in the subject or SAN of a device certificate, like IMEI, SerialNumber, and FullyQualifiedDomainName, are properties that could be spoofed by a person with access to the device.
- A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if {{IMEI}} is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.
What's new for Connectors
Updates for the two certificate connectors are released periodically. When we update a connector, you can read about the changes here.
The PFX Certificate Connector for Microsoft Intunesupports automatic updates, while the Intune Certificate Connector is updated manually.
May 17, 2019
- PFX Certificate Connector for Microsoft Intune - version 6.1905.0.404
Changes in this release:- Fixed an issue where existing PFX certificates continue to be reprocessed which causes the connector to stop processing new requests.
May 6, 2019
- PFX Certificate Connector for Microsoft Intune - version 6.1905.0.402
Changes in this release:- The polling interval for the connector is reduced from 5 minutes to 30 seconds.
April 2, 2019
- Intune Certificate Connector - version 6.1904.1.0
Changes in this release:- Fixed an issue where the connector might fail to enroll to Intune after signing in to the connector with a global administrator account.
- Includes reliability fixes to certificate revocation.
- Includes performance fixes to increase how quickly PKCS certificate requests are processed.
- PFX Certificate Connector for Microsoft Intune - version 6.1904.0.401NoteAutomatic update for this version of the PFX connector is not available until April 11th, 2019.Changes in this release:
- Fixed an issue where the connector might fail to enroll to Intune after signing in to the connector with a global administrator account.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Generate Microsoft Lync Private Key Mac
Use SCEP for certificates, or issue PKCS certificates from a Symantec PKI manager web service.