Certificates are important in the Lync infrastructure. They are used to authenticate, sign, and secure communications. It is important to have a strategy on how to restore the Lync functionality where certificates are highly indispensable.
In the Don't forget the infrastructure – the greater recovery plan section, the internal PKI is listed. There is no point in backing up or restoring certificates issued from the internal CA, unless this is on the disaster recovery plan for the company. This section is worth reading if the PKI is on the restore list or if Lync is the only service we have to restore.
There is no way to create a backup of the systems certificates unless the right allow export of private key option has been set during the deployment phase and/or the issuing CA allows it (most CAs do).
When requesting the certificate in the Lync deployment wizard, the Mark the certificate's private key as exportable option must be selected, as shown in the following screenshot:
If the request is done through the Certificate MMC snap-in, the corresponding setting would be the Make private key exportable option in the Private Key tab of a custom request, as shown in the following screenshot:
The Lync Server Deployment tool does not have any option or settings to export (take a backup) a certificate. This task requires the use of the Certificate MMC snap-in (computer store).
On every windows server where there is a certificate we want to back up, perform the following steps to load MMC:
mmc
and press Enter.It is not uncommon to create certificate requests for hardware load balancers on a Windows server, using either MMC or the Lync Server Deployment tool. If this is the case, the machine on which the request was created should have a copy of the certificate, and the backup can be made from there (it is recommended that you create the backup when requesting and assigning the certificates). This guide only covers Windows Server tools.
The following are the steps to create the backup on a Windows computer through the MMC snap-in:
*.pfx
file in a secured location.Follow these steps to restore a certificate to a Windows server using MMC:
.cer
).Not all certificates on all servers have to be backed up. Why? In simple deployments, it might be just as easy and quick to restore certificates by re-requesting and reissuing certificates from the Internal CA where the original certificates originate from. Make a risk assessment and write down the decision regarding internal certificates (and/or procedures) in the recovery plan.
External (public) certificates should always be backed up and stored for an emergency, as the external CA might not be available at the time of recovery.
As certificates must be exported from each server individually, the procedure described earlier can be slow and and take some time.
There is one way to export certificates with a script or in a PowerShell session. The following commands show you how to do it:
dir cert:localmachinemy | ' Where-Object { $_.HasPrivateKey ' -and $_.PrivateKey.CspKeyContainerInfo.Exportable } | ' Foreach-Object { [system.IO.file]::WriteAllBytes( ' "C:ackup$($_.thumbprint).pfx", ' ($_.Export('PFX', 'password')) ) }
The first line (dir
) is to set the path of the store. The second command (where-object
) is to select certificates for the export process (the private key is marked for export).
The foreach
command is to repeat the export for eligible (Lync and other) certificates, presuming that C:ackup
already exists.
52.15.38.176