Certificates

Certificates are important in the Lync infrastructure. They are used to authenticate, sign, and secure communications. It is important to have a strategy on how to restore the Lync functionality where certificates are highly indispensable.

In the Don't forget the infrastructure – the greater recovery plan section, the internal PKI is listed. There is no point in backing up or restoring certificates issued from the internal CA, unless this is on the disaster recovery plan for the company. This section is worth reading if the PKI is on the restore list or if Lync is the only service we have to restore.

Note

Some say that it's faster or quicker just to request and assign new certificates, and they will possibly skip the entire sections. However, one might not always be in a position where the online CA is available; this is why a backup is recommended.

Getting ready

There is no way to create a backup of the systems certificates unless the right allow export of private key option has been set during the deployment phase and/or the issuing CA allows it (most CAs do).

When requesting the certificate in the Lync deployment wizard, the Mark the certificate's private key as exportable option must be selected, as shown in the following screenshot:

Getting ready

If the request is done through the Certificate MMC snap-in, the corresponding setting would be the Make private key exportable option in the Private Key tab of a custom request, as shown in the following screenshot:

Getting ready

The Lync Server Deployment tool does not have any option or settings to export (take a backup) a certificate. This task requires the use of the Certificate MMC snap-in (computer store).

On every windows server where there is a certificate we want to back up, perform the following steps to load MMC:

  1. Open the Start menu.
  2. Select Run.
  3. Type mmc and press Enter.
  4. Press Ctrl +M (add snap-in).
  5. Select Certificate, click on Add, and select Computer account, as shown in the following screenshot:
    Getting ready
  6. Click on Next and then on Finish (leave the default of local computer and then click on OK).

    Tip

    It is not uncommon to create certificate requests for hardware load balancers on a Windows server, using either MMC or the Lync Server Deployment tool. If this is the case, the machine on which the request was created should have a copy of the certificate, and the backup can be made from there (it is recommended that you create the backup when requesting and assigning the certificates). This guide only covers Windows Server tools.

How to do it…

The following are the steps to create the backup on a Windows computer through the MMC snap-in:

  1. Expand the Console root, Certificate (Local computer), and Personal options in the left pane.
  2. Select Certificates.
  3. Locate the desired certificate in the main pane and right-click on it.

    Tip

    Identify the correct certificates by running the following PowerShell command (most likely, there two different certificates: one for OAuth and another for the rest of the services):

    Get-CsCertificate | ft -Property use,subject -AutoSize
  4. Select All tasks and then Export (this launches a wizard).
  5. Click on Next.
  6. Select Yes, export private key, as shown in the following screenshot:
    How to do it…
  7. Click on Next.
  8. Keep the wizard's default values and click on Next.
  9. Select Password. Then, create a password (and document it) to use for the certificate's private protection.
  10. Click on Next.
  11. Select a path and a filename. Then, click Next.
  12. Click on Finish and then on OK.
  13. Save the *.pfx file in a secured location.

Follow these steps to restore a certificate to a Windows server using MMC:

  1. Expand the Console root, Certificate (Local computer), and Personal options in the left pane.
  2. Right-click on Certificates.
  3. Select All tasks and Import.
  4. Select Next.
  5. Browse to the PFX file that contains the certificate in question (remember to change the type to PFX; by default, the wizard browses for .cer).
  6. Click on Next.
  7. Enter the password you created at the export stage, select Make this key exportable (if a re-export is needed), and then click on Next.
  8. Leave the default (import into personal store).
  9. Click on Next.
  10. Click on Finish and then on OK.

    Note

    This task only described the import job. The certificate must be reassigned to the Lync services in Deploy Lync Server 2013 Wizard in the same way in that the administrator did the initial deployment.

  11. Launch Lync Server 2013 – Deployment Wizard.
  12. Select Install or Update Lync Server System.
  13. Select Run or Run again (depending on the current system status) under Step 3: Request, Install or Assign Certificates.
  14. Select the service for the reassignment and select Assign.
  15. Click on Next.
  16. Select the correct certificate and then click on Next.
  17. Click on Next again.
  18. Click on Finish.
  19. Restart services.

There's more…

Not all certificates on all servers have to be backed up. Why? In simple deployments, it might be just as easy and quick to restore certificates by re-requesting and reissuing certificates from the Internal CA where the original certificates originate from. Make a risk assessment and write down the decision regarding internal certificates (and/or procedures) in the recovery plan.

External (public) certificates should always be backed up and stored for an emergency, as the external CA might not be available at the time of recovery.

As certificates must be exported from each server individually, the procedure described earlier can be slow and and take some time.

There is one way to export certificates with a script or in a PowerShell session. The following commands show you how to do it:

dir cert:localmachinemy | '
      Where-Object { $_.HasPrivateKey '
       -and $_.PrivateKey.CspKeyContainerInfo.Exportable } | '
      Foreach-Object { [system.IO.file]::WriteAllBytes( '
               "C:ackup$($_.thumbprint).pfx", '
               ($_.Export('PFX', 'password')) ) }

The first line (dir) is to set the path of the store. The second command (where-object) is to select certificates for the export process (the private key is marked for export).

The foreach command is to repeat the export for eligible (Lync and other) certificates, presuming that C:ackup already exists.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.97.53