Request/Renewing Skype for Business Server 2015 Certificates

Here are the steps to request or renew certificates in Skype for Business Server 2015.

Most of the steps are similar to Lync Server 2010/2013, so to start let’s go to the well-known Deployment Wizard Step 3 and click Run or Run Again (depending on if you are requesting for the first time or renewing the certificates).

Skype4B-ReqCert01

Now, in Certificate Wizard, we select the proper certificate and then click Request:

Skype4B-ReqCert02

The Certificate Request wizard will open and we can notice that this user interface changed from Lync Server 2010/2013. Now we have all the basic information to request a certificate consolidated in a single window:

Skype4B-ReqCert03

Note: In the Edge Server, the certificate request is the same as in Lync Server 2010/2013, therefore we don’t have the new consolidated view.

We can use the Advanced mode (also known as old Lync Server 2013 mode), in case we need to specify one of the following settings:

  • Create an Offline Request

Skype4B-ReqCert04

  • Specify another CA

Skype4B-ReqCert05

  • Specify different CA credentials

Skype4B-ReqCert06

  • Use a different Certificate Template

Skype4B-ReqCert07

  • Change key bit length and/or Mark the certificate private key as exportable

Skype4B-ReqCert08

  • Add additional SAN names

Skype4B-ReqCert09

After that, we will return to the initial Certificate Request screen. Don’t forget to select the SIP Domains served by this server:

Skype4B-ReqCert10

In the next screen, check if all the details are correct:

Skype4B-ReqCert11

If the certificate request is successful, we get Task status: Completed:

Skype4B-ReqCert12

Continuing with our request, select the Assign this certificate to Skype for Business Server certificate usages option:

Skype4B-ReqCert13

Note: Before requesting a new certificate, we need to make sure that the Root CA certificate is installed in the Trusted Root Certification Authorities under the Local Computer Certificate Store:

Skype4B-ReqCert14

The Certificate Assignment wizard will be launched, and we can view the details or continue:

Before assigning the certificate, we need to verify the details:

Skype4B-ReqCert16

Task status: Completed confirms that the certificate was correctly assigned:

Skype4B-ReqCert17

We have just assigned the new certificate, so all we need now is to restart the services on the Front End. In case we have a Front End Enterprise Pool, keep in mind that we need to check if there are enough Front End servers running before restarting the services. In order to do this, simply use the Get-CsUpdatePoolReadiness.

Finally, if there are enough Front End servers to keep the pool running, we can proceed and restart the services:

Stop-CsWindowsService
Start-CsWindowsService