Wildcard Certificate Support in Skype for Business

Coming back to the most common question about certificates in Skype for Business and Lync Server.

Can we use Wildcard Certificates in Skype for Business or Lync Server?


Simple answer is: YESNO

First lets have a look into a certificate:

A Certificate has a Common Name (CN) and Subject Alternative Names (SAN)
A classic wildcard certificate is a certificate where the CN look like: CN=*.domain.com



In Skype for Business the main reason for certificate use is TLS/MTLS data encryption and the other point it the server authentication/ validation.
Skype for Business is using the Common Name CN for authentication/ validation trusts.


Only if a server with in the Topology or for Federation purposes presents a valid certificate with its matching Common Name (CN) the entire traffic can be used with TLS/MTLS.



Therefor we understand a CN identifier as FQDN of the Server or the Pool is RECOMMENDED!





A valid SAN Wildcard certificate could look like this:


CN   = POOL01.DOMAIN.COM
+

SAN = POOL01.DOMAIN.COM
SAN = SIP.DOMAIN.COM
SAN = *.DOMAIN.COM





A dedicated article to Skype for Business does not exits yet, you have to refer to: Environmental requirements for Skype for Business Server 2015.
Still an internal deployment guide exists here https://technet.microsoft.com/en-us/library/dn933910.aspx 
It will address the same issue in the same way as it was with Lync 2010 and Lync 2013.


SUMMARY:

Please carefully consider the use of a wildcard certificate. Even if you figure out the CN wildcard certificate is working, due to the feature required and named above it is NOT supported. Therefor make use of SAN wildcard only. Some other interface like the internal Edge NIC for example do never support a wildcard, also not if this is defined optional.

If you follow a simple advice, make use for wildcard certificates ONLY on the Reverse Proxy and NOT on the internal / Edge servers at anytime.





As reference:
Lync 2010:
https://technet.microsoft.com/en-us/library/hh202161(v=ocs.14).aspx
Lync 2013:
https://technet.microsoft.com/en-us/library/hh202161(v=ocs.15).aspx

Skype for Business Server 2015:
https://technet.microsoft.com/EN-US/library/dn933910.aspx#Certs




NOTE:
Exchange UM and UC Integration is not covered in this article yet. Please check with your Exchange department first if they support wildcard.


Comments

Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

MFA with Guest Access and different tenants settings

Skype for Business, Lync and Exchange Web Services (EWS) and different DNS Domains- Exchange crawling e.g. for presence