This is most likely happen if you are using dedicated certificate for each Lync service.
Especially the Lync WebServiceInternal certificate cannot be requested correctly, neither with Lync Wizard nor with the Request-CsCertificate command.
Here the problem is that both methods are requesting a certificate with a Subject Name of the Internal Web Services rather than the POOL FQDN.
The remote certificate is invalid according to the validation procedure. reason="The web ticket is invalid." ;faultcode="wsse:InvalidSecurityToken",Replace=false
In both, the TechNet and Help File the correct certificate is described. Therefore you need a valide process of requesting the correct certificate.
If you have a consolidated certificate for all services, this is issue is not present, because the Subject Name responds to the POOL FQDN.
Here I post a…