Skip Navigation

Mutual TLS (MTLS) certificates

Connect
and
Lync
Presence
Provider (LPP) connections to
Skype for Business
rely on mutual TLS (MTLS) for mutual authentication. On an MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA. The certificates prove the identity of each server to the other.
In
Skype for Business
deployments, certificates issued by the enterprise CA that are valid and not revoked by the issuing CA are automatically considered valid by all internal clients and servers because all members of a
Microsoft Active Directory
domain trust the Enterprise CA in that domain. In federated scenarios, the issuing CA must be trusted by both federated partners. Each partner can use a different CA, if desired, so long as that CA is also trusted by the other partner. This trust is most easily accomplished by the Edge Servers having the partner’s root CA certificate in their trusted root CAs, or by use of a third-party CA that is trusted by both parties.
Hence,
BEMS
must form a mutual trust relationship for MTLS communications supporting its network server environment. Mutual trust requires a valid SSL certificate that meets the following criteria:
  • The following certificates must be stored on the computer that hosts
    BEMS
    in the
    Windows
    Certificate store. You can access the certificates using the
    Microsoft
    Management Console (MMC).
    • The private certificate issued for
      BEMS
      by a trusted CA and that is accessible using the
      Microsoft
      Management Console (MMC) in the
      Console Root\Certificates <
      local_host_name
      >\Personal\Certificate
      folder.
    • The
      BEMS
      computer's private certificate and the
      Skype for Business
      internal computer certificate must both be trusted by root certificates and accessible using the
      Microsoft
      Management Console (MMC) in the
      Console Root\Certificate <
      local_host_name
      >\Trusted Root Certification Authorities\Certificates
      folder.
    • Intermediate certificates for both the
      BEMS
      private certificate and the
      Skype for Business
      internal computer certificate and accessible using the
      Microsoft
      Management Console (MMC) in the
      Console Root\Certificates <
      local_host_name
      >\Intermediate Certification Authorities\Certificates
      folder.
  • The Subject Name certificate property must contain the Common Name (CN) of a valid FQDN such as a trusted application pool name (for example, CN=bemsapppool.example.com). For more information about the trusted application pool name, see Prepare the initial computer hosting BEMS.
  • The Subject Alternative Name (SAN) certificate property must include the FQDN for the trusted application pool and the FQDN of each
    BEMS
    instance that the certificate will be used for (for example, bemsapppool.example.com, bemsserver01.example.com, bemsserver02.example.com, bemserver03.example.com, and so forth).
  • The certificate must be signed by a CA that is mutually trusted by both
    Skype for Business
    and
    BEMS
    .
The account used to run
BEMS
must have read access to the certificate store and the private key. You can assign read rights to the private key by right-clicking on the certificate.
For more information about generating SSL certificates with subject alternative names, see the
Microsoft
resource How to generate a certificate with subject alternative names (SAN).