Lync Server 2010 certificate requirements for user access

If you are a Small Business customer, find additional troubleshooting and learning resources at the Support for Small Business site.
By default, network communications in Lync Server 2010 are encrypted. Certificates are required for all internal servers that are running Lync Server 2010. Lync Server 2010 helps protect data on the network by requiring the following:
  • All Lync Server 2010 servers and Lync 2010 clients use certificates.
  • All certificates must support Mutual Transport Layer Security (MTLS) and Transport Layer Security (TLS), Secure Real-Time Transport Protocol (SRTP), and other industry-standard encryption techniques. This includes 128-bit Advanced Encryption Standard (AES) encryption.

Certificate requests

Certificates are issued by a certification authority (CA). Lync Server 2010 setup includes the Certificate Wizard to help you request, assign, and install certificates during deployment.

It can take time to process certificate requests, especially requests to public certification authorities (CAs). You can request certificates for your Lync Server 2010 servers early to make sure that they are available when you start deployment. If you want to request certificates before you install the servers, you can use the Lync Server 2010 administrative tools or use a certificate request procedure defined in your organization. You may want to do this to save time when you deploy servers. However, you must make sure that the certificates are exportable and that they contain all the required subject alternative names.

Requesting certificates in advance is optional. If you do not request certificates in advance, you must request them when you set up the servers that require a certificate.

We recommend that you use an internal enterprise CA for internal servers. Doing this could save you money. For more information about internal CAs, see Request Certificates from an Internal Enterprise CA on the Microsoft TechNet website.

You can also use a public CA. To see a list of public CAs that provide certificates, see article 929395: Unified Communications Certificate Partners for Exchange Server and for Communications Server. Certificates from these CAs comply with specific requirements for unified communications (UC) certificates. These public CAs also work with Microsoft to make sure that their certificates work with the Lync Server Certificate Wizard.

More Information

A CA issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority to verify the information that you send when you request a digital certificate. If the registration authority verifies your information, the CA can issue a certificate. 

Lync Server 2010 uses certificates for the following purposes:
  • TLS connections between client and server
  • MTLS connections between servers
  • Federation using automatic Domain Name System (DNS) discovery of partners
  • Remote user access for instant messaging (IM)
  • External user access to audio/video (A/V) sessions, application sharing, and conferencing
  • Mobile requests using automatic discovery of Web Services
For more information about how to use the Certificate Wizard to configure certificates for specific server roles in Lync Server 2010, see the following topics on the Microsoft TechNet website:


Article ID: 2667698 - Last Review: Apr 30, 2012 - Revision: 1