Mutual TLS (MTLS) certificates
Connect
and Lync
Presence
Provider (LPP) connections to Skype for Business
rely on mutual TLS (MTLS) for mutual authentication. On an MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA. The certificates prove the identity of each server to the other.In
Skype for Business
deployments, certificates issued by the enterprise CA that are valid and not revoked by the issuing CA are automatically considered valid by all internal clients and servers because all members of a Microsoft Active
Directory
domain trust the Enterprise CA in that domain. In federated scenarios, the issuing CA must be trusted by both federated partners. Each partner can use a different CA, if desired, so long as that CA is also trusted by the other partner. This trust is most easily accomplished by the Edge Servers having the partner’s root CA certificate in their trusted root CAs, or by use of a third-party CA that is trusted by both parties.Hence,
BEMS
must form a mutual trust relationship for MTLS communications supporting its network server environment. Mutual trust requires a valid SSL certificate that meets the following criteria:
- The following certificates must be stored on the computer that hostsBEMSin theWindowsCertificate store. You can access the certificates using theMicrosoftManagement Console (MMC).
- The private certificate issued forBEMSby a trusted CA and that is accessible using theMicrosoftManagement Console (MMC) in theConsole Root\Certificates <folder.local_host_name>\Personal\Certificate
- TheBEMScomputer's private certificate and theSkype for Businessinternal computer certificate must both be trusted by root certificates and accessible using theMicrosoftManagement Console (MMC) in theConsole Root\Certificate <folder.local_host_name>\Trusted Root Certification Authorities\Certificates
- Intermediate certificates for both theBEMSprivate certificate and theSkype for Businessinternal computer certificate and accessible using theMicrosoftManagement Console (MMC) in theConsole Root\Certificates <folder.local_host_name>\Intermediate Certification Authorities\Certificates
- The Subject Name certificate property must contain the Common Name (CN) of a valid FQDN such as a trusted application pool name (for example, CN=bemsapppool.example.com). For more information about the trusted application pool name, see Prepare the initial computer hosting BEMS.
- The Subject Alternative Name (SAN) certificate property must include the FQDN for the trusted application pool and the FQDN of eachBEMSinstance that the certificate will be used for (for example, bemsapppool.example.com, bemsserver01.example.com, bemsserver02.example.com, bemserver03.example.com, and so forth).
- The certificate must be signed by a CA that is mutually trusted by bothSkype for BusinessandBEMS.
The account used to run
BEMS
must have read access to the certificate store and the private key. You can assign read rights to the private key by right-clicking on the certificate. For more information about generating SSL certificates with subject alternative names, see the
Microsoft
resource How to generate a certificate with subject alternative names (SAN).