Wildcard Certificate Support in Skype for Business
Can we use Wildcard Certificates in Skype for Business or Lync Server?
Simple answer is: YESNO
First lets have a look into a certificate:A Certificate has a Common Name (CN) and Subject Alternative Names (SAN)
A classic wildcard certificate is a certificate where the CN look like: CN=*.domain.com
In Skype for Business the main reason for certificate use is TLS/MTLS data encryption and the other point it the server authentication/ validation.
Skype for Business is using the Common Name CN for authentication/ validation trusts.
Only if a server with in the Topology or for Federation purposes presents a valid certificate with its matching Common Name (CN) the entire traffic can be used with TLS/MTLS.
Therefor we understand a CN identifier as FQDN of the Server or the Pool is RECOMMENDED!
A valid SAN Wildcard certificate could look like this:
CN = POOL01.DOMAIN.COM
SAN = POOL01.DOMAIN.COM
SAN = SIP.DOMAIN.COM
SAN = *.DOMAIN.COM
A dedicated article to Skype for Business does not exits yet, you have to refer to: Environmental requirements for Skype for Business Server 2015.
Still an internal deployment guide exists here https://technet.microsoft.com/en-us/library/dn933910.aspx
It will address the same issue in the same way as it was with Lync 2010 and Lync 2013.
SUMMARY:Please carefully consider the use of a wildcard certificate. Even if you figure out the CN wildcard certificate is working, due to the feature required and named above it is NOT supported. Therefor make use of SAN wildcard only. Some other interface like the internal Edge NIC for example do never support a wildcard, also not if this is defined optional.
If you follow a simple advice, make use for wildcard certificates ONLY on the Reverse Proxy and NOT on the internal / Edge servers at anytime.
Skype for Business Server 2015:
Exchange UM and UC Integration is not covered in this article yet. Please check with your Exchange department first if they support wildcard.