In Part 1 - We discussed our Lync Project goals, and prepped the domain, etc.
In Part 2 - We discussed a few Server/Infrastructure prep needs and the Lync Topology Builder
Today, we'll dive into Enterprise CA / PKI. To fully integrate Lync into your environment, especially when integrating with Exchange 2010 for UM, you need a functional PKI Ecosystem.
The Mirazon infrastructure already exists, so, I built out a test-lab environment for this walkthrough. Let's get started.
We'll assume we're going to build a single-function, domain-joined machine - CERTSERV - to be our Root CA. A simple 40gig C: drive, Server 2008 R2 machine will be great. We'll also assume that one or more Subordinate CAs will exist in your environment. These can be multi-function machines, and Domain Controllers might be a good choice for you.
Enterprise Root CA
Bring up Server Manager on your CERTSERV machine
You want to Add Roles
We are adding Certificate Authority
Yup, just like that. Click Next.
We want to add Web Enrollment. Click that box.
Web Enrollment needs IIS. Click Add Required Role Services.
Looks good, click Next.
We are adding Enterprise CA, Click Next.
Yes. We're adding the Root. Click Next.
We need a new Private Key. Click Next.
Length of 2048 s fine. Click Next.
This names your CN for the CA based on the Domain Name & Computer Name. Click Next.
Select your validity period for the CA - 5 years is Default. Click Next.
Verify installation location. Click Next.
You can now customize IIS if you need. Click Next.
Make adjustments (optional). Click Next.
Confirm your choices. Click Install.
Hooray! Root CA is done. Click Close.
Let's build a Subordinate CA
Remember, your Root CA is a single-use machine only. Those CA/PKI experts will tell you to fully protect your Root. All you do with the Root CA is authorize Subordinate CAs. You actually issue your certs from a Subordinate CA. So, let's do that.
We're going to use DC01 - Our Domain Controller - as our Subordinate CA. Open Server Manager, Add the Certificate Authority Role, etc. Everything is the same up until you get to the CA Type Screen
Choose Subordinate CA here. Click Next.
Create your new Private Key, 2048 length is fine, and your CN will be built.
This is where we actually get permission to be a Subordinate CA from the Root CA we just built. We're going to send the request "live" - click Browse.
It finds CERTSERV - Click OK.
All the options are filled in. Click Next.
Continue through the process just like the Root CA - customizing IIS if needed.
Great. You're done. Click Close.
Verify it worked
Now, let's go to the Root CA and look at the Issued Certificates
See the Subordinate CA there?
Anyway, I thought it was important to briefly (ha!) build our CA. Lync needs certificates - and we need a local CA for all the Mutual TLS stuff between servers. So, now you know how to build one if you don't already have it!
Stay tuned... UPDATE: Part 4 is now up...