Certificate re-key to change signature algorithm in Lync Server (SHA-1 to SHA-2)

Recently, I received an e-mail from GoDaddy asking to renew older certificates which were signed using SHA-1 algorithm because:

Google® is making a shift in their Chrome™ Web browser to phase out any SSL certificates which use an old encryption algorithm (SHA-1) and expire after Dec. 31, 2015

By default, all new or recently renewed certificates should use SHA-2 algorithm:


Regarding Lync environments, this change will only affect users that use Chrome to access Lync Web Services, such as join/schedule meeting and accessing DialIn conference settings. A good thing is that Lync Server supports both algorithms:

Lync Server 2013

All certificates must be signed using a signing algorithm supported by the operating system. Lync Server 2013 supports the SHA-1 and SHA-2 suite of digest sizes (224, 256, 384 and 512-bit)
in Certificate infrastructure requirements for Lync Server 2013

Lync Server 2010

Lync Server 2010 support includes support for SHA-256 certificates for connections from clients running the Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 operating systems, in addition to Lync 2010 Phone Edition. To support external access using SHA-256, the external certificate is issued by a public CA using SHA-256.
in Configuring Certificates for Standard Edition Servers
Note: I only found reference to SHA-2 in Lync Server 2010 Standard Edition TechNet.

When the certificate is ready, GoDaddy allows you to download the certificate and the Intermediate CA certificates. The P7B file includes two Intermediate CA certificates:


This doesn’t mean that Go Daddy Root Certificate Authority – G2 certificate isn’t valid any more, but that GoDaddy is using cross-signed certificates.



The difference between these two certification chains is that Go Daddy Class 2 Certification Authority uses SHA-1, while Go Daddy Root Certificate Authority – G2 uses SHA-2. We can check which algorithm was used to sign our certificate in the Certificate->Details tab:

Go Daddy Class 2 Certification Authority


Go Daddy Root Certificate Authority – G2


We can test this in a Lab environment – the first step is to install the Intermediate Go Daddy Root Certificate Authority – G2 certificate. Then we need to disable the Go Daddy Root Certificate Authority – G2 certificate, select the certificate, and then right click and open Properties:


In the properties windows, select Disable all purposes for this certificate:


After disabling the certificate, I recommend to reboot the server.

Finally, to check the chain, open the certificate and then select Certification Path:


In case you only disabled the Go Daddy Root Certificate Authority – G2 certificate and didn’t install the Intermediate one, you will get a warning:


For reference, here is the original chain:


We can also use the DigiCert – SSL Certificate Checker (https://www.digicert.com/help/):

Go Daddy Class 2 Certification Authority as Root CA


Go Daddy Root Certificate Authority – G2 as Root CA



5 thoughts on “Certificate re-key to change signature algorithm in Lync Server (SHA-1 to SHA-2)

      1. That blog talks about root certificates. We are on updated firmware much newer than that blog and I can confirm that if the web service certificates are signed SHA-2, Polycom phones do not work when you enroll them. Thankfully, they do seem to work fine if they are already enrolled, so at least we have some time to figure this out. This is really annoying.

      2. Thanks for the feedback. If your phone is already enrolled it wont require a certificate, maybe when that certificate expires you will experience that issue again.
        Which phones did you had issues? CX700 or CX600?
        Right now I am only able to test with Polycom VVX series and I can confirm they work with SHA-2 certificates.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.