Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.1
  3. BEMS Installation Guide
  4. Prerequisites: Installing and configuring BEMS
  5. Prerequisites: Connect for Microsoft Lync Server and Skype for Business
  6. SSL certificate requirements for Microsoft Lync Server and Skype for Business
  7. Mutual TLS (MTLS) certificates

Mutual TLS (MTLS) certificates

Connect
 and
Lync
Presence
 Provider (LPP) connections to the
Microsoft Lync Server
 and
Skype for Business
 rely on mutual TLS (MTLS) for mutual authentication. On an MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA. The certificates prove the identity of each server to the other.
In
Microsoft Lync Server
 and
Skype for Business
 deployments, certificates issued by the enterprise CA that are valid and not revoked by the issuing CA are automatically considered valid by all internal clients and servers because all members of a
Microsoft Active Directory
 domain trust the Enterprise CA in that domain. In federated scenarios, the issuing CA must be trusted by both federated partners. Each partner can use a different CA, if desired, so long as that CA is also trusted by the other partner. This trust is most easily accomplished by the Edge Servers having the partner’s root CA certificate in their trusted root CAs, or by use of a third-party CA that is trusted by both parties.
Hence,
BEMS
 must form a mutual trust relationship for MTLS communications supporting its network server environment. Mutual trust requires a valid SSL certificate that meets the following criteria:
  • The private certificate issued for
    BEMS
     by a trusted CA must be stored on the computer hosting
    BEMS
    Console Root\Certificates <
    local_host_name
    >\Personal\Certificate
     folder.
  • The
    BEMS
     computer's private certificate and the
    Microsoft Lync Server
     or
    Skype for Business
     internal computer certificate must both be trusted by root certificates in
    BEMS
    ’s
    Console Root\Certificate <
    local_host_name
    >\Trusted Root Certification Authorities\Certificates
     folder.
  • Intermediate certificates for both the
    BEMS
     private certificate and the
    Microsoft Lync Server
     or
    Skype for Business
     internal computer certificate must be located in the
    BEMS
    Console Root\Certificates <
    local_host_name
    >\Intermediate Certification Authorities\Certificates
     folder.
  • The Subject Name certificate property must contain the Common Name (CN) of a valid FQDN such as a trusted application pool name (for example, CN=bemsapppool.example.com). For more information about the trusted application pool name, see Prepare the initial computer hosting BEMS.
  • The Subject Alternative Name (SAN) certificate property must include the FQDN for the trusted application pool and the FQDN of each
    BEMS
     instance that the certificate will be used for (for example, bemsapppool.example.com, bemsserver01.example.com, bemsserver02.example.com, bemserver03.example.com, and so forth).
  • The certificate must be signed by a CA that is mutually trusted by both the
    Microsoft Lync Server
     or
    Skype for Business
     and
    BEMS
    .
The account used to run
BEMS
 must have read access to the certificate store and the private key. You can assign read rights to the private key by right-clicking on the certificate.
For more information about generating SSL certificates with subject alternative names, visit the Technet Library to see How to generate a certificate with subject alternative names (SAN).