Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.7
  3. BEMS Installation Guide
  4. Prerequisites: Installing and configuring BEMS
  5. Prerequisites: Connect for Skype for Business
  6. SSL certificate requirements for Skype for Business
  7. Mutual TLS (MTLS) certificates

Mutual TLS (MTLS) certificates

Connect
 and
Lync
Presence
 Provider (LPP) connections to
Skype for Business
 rely on mutual TLS (MTLS) for mutual authentication. On an MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA. The certificates prove the identity of each server to the other.
In
Skype for Business
 deployments, certificates issued by the enterprise CA that are valid and not revoked by the issuing CA are automatically considered valid by all internal clients and servers because all members of a
Microsoft Active Directory
 domain trust the Enterprise CA in that domain. In federated scenarios, the issuing CA must be trusted by both federated partners. Each partner can use a different CA, if desired, so long as that CA is also trusted by the other partner. This trust is most easily accomplished by the Edge Servers having the partner’s root CA certificate in their trusted root CAs, or by use of a third-party CA that is trusted by both parties.
Hence,
BEMS
 must form a mutual trust relationship for MTLS communications supporting its network server environment. Mutual trust requires a valid SSL certificate that meets the following criteria:
  • The following certificates must be stored on the computer that hosts
    BEMS
     in the
    Windows
     Certificate store. You can access the certificates using the
    Microsoft
     Management Console (MMC).
    • The private certificate issued for
      BEMS
       by a trusted CA and that is accessible using the
      Microsoft
       Management Console (MMC) in the
      Console Root\Certificates <
      local_host_name
      >\Personal\Certificate
       folder.
    • The
      BEMS
       computer's private certificate and the
      Skype for Business
       internal computer certificate must both be trusted by root certificates and accessible using the
      Microsoft
       Management Console (MMC) in the
      Console Root\Certificate <
      local_host_name
      >\Trusted Root Certification Authorities\Certificates
       folder.
    • Intermediate certificates for both the
      BEMS
       private certificate and the
      Skype for Business
       internal computer certificate and accessible using the
      Microsoft
       Management Console (MMC) in the
      Console Root\Certificates <
      local_host_name
      >\Intermediate Certification Authorities\Certificates
       folder.
  • The Subject Name certificate property must contain the Common Name (CN) of a valid FQDN such as a trusted application pool name (for example, CN=bemsapppool.example.com). For more information about the trusted application pool name, see Prepare the initial computer hosting BEMS.
  • The Subject Alternative Name (SAN) certificate property must include the FQDN for the trusted application pool and the FQDN of each
    BEMS
     instance that the certificate will be used for (for example, bemsapppool.example.com, bemsserver01.example.com, bemsserver02.example.com, bemserver03.example.com, and so forth).
  • The certificate must be signed by a CA that is mutually trusted by both
    Skype for Business
     and
    BEMS
    .
The account used to run
BEMS
 must have read access to the certificate store and the private key. You can assign read rights to the private key by right-clicking on the certificate.
For more information about generating SSL certificates with subject alternative names, visit the Technet Library to see How to generate a certificate with subject alternative names (SAN).