Update 2023/04/17 – Script available at PowerShell Gallery
Install-Script Test-CertificateStore
Test-CertificateStore
Update 2019/06/10 – Added Check #7 for expired certificates.
The checks described in this article are the result of what we normally check during troubleshooting. Some of these already have specific error events, but the objective here is to try to avoid that these events occur.
We plan to keep the post updated and add more checks that we identify as useful. Also, we kindly ask you to add a comment with a test you think that could make a good addition to the list.
Check #1 – Misplaced certificates in Trusted Root CA
Some of us already experienced issues related to having misplaced certificates in Trusted Root CA. In Windows Server 2012, it started to check misplaced certificates and it affected Lync Server 2013:
Lync Server 2013 Front-End service cannot start in Windows Server 2012
In order to check this, we can use the PowerShell cmdlet mentioned in the above article or this one instead:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Select Issuer, Subject, Thumbprint | fl
To solve this we need to move the certificate to the proper Store. In this case, we should move it to the Intermediate Certification Authority.
Check #2 – Duplicates in Trusted Root CA
Although this should affect Lync/Skype4B, it is better to check and delete the duplicates:
Get-Childitem cert:\LocalMachine\root | Group-Object -Property Thumbprint | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | Select FriendlyName, Issuer, Subject, Thumbprint | fl
Check #3 – More than 100 certificates in Trusted Root CA
This is really important, as it may cause sign-in issues for users. Most of the time, we have less than 50 certificates.
Get-Childitem cert:\LocalMachine\root | Measure
To solve this we have to keep just the certificates that we need. In a Front End, this is actually an easy task, but in a Edge Server we need to be more careful, since the federation with other Lync/Sfb Server environments might get broken if we delete the wrong certificate.
Check #4 – Root CA certificates in Personal Store
Just to have things nice and tidy, we should move these certificates to the Trusted Root CA. But before that, it’s recommended to check whether they are already there, otherwise we might end up with duplicates.
Get-Childitem cert:\LocalMachine\my -Recurse | Where-Object {$_.Issuer -eq $_.Subject} | Select FriendlyName, Issuer, Subject, Thumbprint | fl
Check #5 – Duplicated Friendly Name
Usually, we add different Friendly Names so it gets easier to assign the certificate. In this case, however, it actually gets to be a requirement:
Note: Each certificate Friendly Name must be unique in the computer store.
Certificate requirements for internal servers in Lync Server 2013
Again, a simple PowerShell cmdlet:
Get-Childitem cert:\LocalMachine\my | Group-Object -Property FriendlyName | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | Select FriendlyName, Issuer, Subject, Thumbprint | fl
Check #6 – Misplaced Root CA certificates in Intermediate CA store (Suggested in the comments)
Get-ChildItem Cert:\LocalMachine\CA | Where-Object {$_.Issuer -eq $_.Subject} | Select Issuer, Subject, Thumbprint | fl
Check #7 – Expired certificates in Root, Intermediate and Personal Store
Expired certificates should be removed since they aren’t valid anymore.
Personal
Get-ChildItem Cert:\LocalMachine\My | ?{$_.NotAfter -le (Get-Date) } | Select Issuer, Subject, Thumbprint, NotAfter | fl
Root
Get-ChildItem Cert:\LocalMachine\Root | ?{$_.NotAfter -le (Get-Date)} | Select Issuer, Subject, Thumbprint, NotAfter | fl
Intermediate
Get-ChildItem Cert:\LocalMachine\CA | ?{$_.NotAfter -le (Get-Date)} | Select Issuer, Subject, Thumbprint, NotAfter | fl