The new certificate maintenance feature in Lync Server 2013 Preview allows Lync Server administrators to acquire and stage Edge service certificates and/or a new server-to-server authentication (OAuth) prior to the expiration of the current certificate. The new certificate feature works in conjunction with the current certificate to ensure that at expiration time of the current certificate, there is virtually no loss of service. If you have ever run into the situation where an important meeting is coming up on the day that your Audio/Video (A/V) Edge service certificate is set to expire and interruption in service is not an acceptable option, then this feature is for you.

This article outlines how the feature works, how to stage a new certificate, and how the actual process functions between the existing certificate and the newly staged certificate.

Author: Rick Kingslan, Microsoft Senior Technical Writer

Publication date: October 9, 2012

Product version: Lync Server 2013 Preview

Let’s assume your company holds an annual shareholder meeting where the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) present the company’s annual report to shareholders and the press. The last thing that your company wants is for the meeting to be disrupted by a poorly timed expiration of the certificate assigned to dole out tokens and validate meeting participants. You recently upgraded to Lync Server 2013 Preview. But it’s just your luck – the meeting is due to start at 2 PM local time, and the currently assigned A/V Edge service certificate is scheduled to expire at 2:36 PM that very same day. You know this by looking at the current certificate and seeing that the expiration date is the date of the meeting, and the time is 2:36 PM.

At this point, you have two options. You can quit your job, leave the problem for someone else and schedule a date on Dr. Phil’s show to talk out your problems. Or, better yet – you can acquire a new A/V Edge service certificate and use this new feature in Lync Server 2013 Preview to stage the new certificate. Assign the new certificate an effective time and provision it in advance of the expiration of the old certificate. The overlap time, a period of time when both certificates are referenced to validate clients, appears to be a perfect solution.

Let’s take a detailed look at how this works in actual practice.

Staging a New Certificate with the Current One Still in Place

The default client A/V token lifetime is eight hours. The token, issued by the A/V Edge service in conjunction with the media relay authentication service (MRAS), is responsible for authenticating clients and authorizing ports in the 50,000 to 59,999 media port range. If a client token expires, the client cannot be authenticated and ports cannot be authorized for use. In the normal token renewal process, 15 minutes prior to token expiration, the client requests a new token with a new eight hour lifetime. Tokens are reissued based on the current certificate. With Lync Server 2013 Preview, if the current certificate is due to expire, the stop-gap measure provides a new certificate that can issue new tokens, while the expiring certificate continues to validate the currently valid existing tokens.

The meeting starts at 2 PM and the current certificate expires at 2:36 PM. Shareholder meetings last longer than 36 minutes, so our administrator has a problem. This problem is easily resolved with a cool new feature that manages the lifetime and minimizes the potential of that certificates will expire at a crucial time. (Like, during a shareholder’s meeting conducted by our administrator’s CEO and CFO—usually very nice people, but having their meeting disrupted may bring out the worst in anyone. Our administrator doesn’t want to see what the potential ire of an executive might look like. And, so the dilemma of the Dr. Phil visit arises again.)

To address this problem our admin plans ahead and requests the certificate a week or two in advance of the expiration. This ensures that the certificate is available well in advance of the staging time.

The administrator requests an AudioVideoAuthentication certificate. When the admin receives the signed certificate, he imports the certificate to the Edge Server or servers (if this is a pool). The admin opens the Lync Server Management Shell and sets the Set-CsCertificate cmdlet parameters to: –Type “AudioVideoAuthentication” –Roll and –EffectiveDate <string: date and time for certificate to become active>.

If our admin concludes that the certificate will expire at 2:36 PM and the default A/V token lifetime is eight hours, then the effective time (defined by the EffectiveDate parameter) should be at least eight hours prior to the certificate expiration—6:36 AM on the date of the certificate expiration to account for the default lifetime of a token.

During the time period when both the current and new certificates are in place:

The new certificate:

  • Creates new tokens to replace expiring old tokens, created by the current certificate.
  • Validates tokens issued with the new certificate.

The current certificate:

  • Validates existing tokens created with the current certificate.

The new certificate is not able to validate tokens created by the current certificate, nor will new tokens be validated by the current certificate. Visually, the current and new certificate process looks like the timeline in Figure 1:

Figure 1 – Timeline description of certificate process

Procedurally, the administrator does the following:

1. Requests a new or renewal certificate for the AV Edge service.

2. Imports the new certificate to the Edge Server or servers (same certificate is copied to all Edge Servers in a pool with the private key).

3. Opens Lync Server Management Shell.

4. At the command line, types:

Set-CsCertificate –Type “AudioVideoAuthentication” –Roll

–Thumbprint “caef14af5fd946ee9788d8491098fb44b6bcbef8”

–EffectiveDate “10/26/2012 6:37:00 AM”

5. The last date and time the administrator can deploy the new certificates is 6:36:59 AM on the date of the expiration (expiration time minus 8 hours)

6. At EffectiveDate time, test current and new certificate application to confirm that the tokens of existing sessions and new sessions are successful.

7. After the date and time for the current certificate has passed, the current certificate becomes an expired certificate. The new certificate becomes the current certificate. To remove the expired certificate type the following in the Lync Server Management Shell:

Remove-CsCertificate –Type “AudioVideoAuthentication”

Adjust accordingly for the actual certificate that is in place. Type may be of type Default if you have a combined purpose certificate. If the certificate is used for the types AccessEdgeExternal, AudioVideoAuthentication, and DataEdgeExternal, it is expired for all three purposes. Removing it has no effect on the other Edge services. You should have already updated and replaced the AccessEdgeExternal and DataEdgeExternal certificate as well.

A few of important points:

If you use the default certificate arrangement called “Default”, the A/V Edge service certificate is coupled to the other purposes for the Edge Server. You have two options—the recommended option is to decouple the certificate types in order to update the AudioVideoAuthentication at any time:

  • Order two certificates, one with types AccessEdgeExternal and DataEdgeExternal, and one with AudioVideoAuthentication. Stage the AudioVideoAuthentication certificate as described. However, if you are currently using a type ‘Default’ certificate, you can’t remove the certificate that is acting for the types AccessEdgeExternal and DataEdgeExternal (for example instant messaging functionality and Web Conferencing functionality, respectively) without affecting the AudioVideoAuthentication certificate because they are all coupled on the same certificate. You need to wait until after the current certificate expires before you can remove and replace the current certificate with the new certificate. If you remove and replace it before the old certificate expires, you will unintentionally remove the current AudioVideoAuthentication certificate that is still validating those tokens issued over the default token lifetime. There will be no overlap period and A/V sessions will fail as tokens try to validate to the certificate that is no longer in place.
  • Order a new (essentially a renewal) type Default certificate with the types AccessEdgeExternal, AudioVideoAuthentication, and DataEdgeExternal. Stage the certificate as described. Before the certificate expires, use Set-CsCertificate and the –Roll parameter to bind the new Default certificate to the Access Edge service (AccessedgeExternal), the Web Conferencing Edge service (DataEdgeExternal), and the Audio/Video Authentication service (Yes, you can use –Roll with the default certificate, or if you want to order three certificates and manage them each as distinct certificates). Remove the current (or soon-to-expire) certificate after the certificate has expired. All three Edge services will now use the new certificate.
  • The same process can be applied to the certificate type OAuthTokenIssuer. The OAuth certificate is replicated to all servers in your deployment and needs to be requested and assigned at only one server, for example a Front End Server. The OAuth certificate is responsible for server-to-server authentication for all servers in your deployment, including authentication to Exchange Servers and to SharePoint Servers that are used with Lync Server.

IMPORTANT:

The timing requirements for the OAuthTokenIssuer certificate is slightly different from the other server role certificate types. Because of the wide scope of the certificate and the requirements for components that use the certificate for server-to-server authentication, you must plan at least 24 hours of overlap for the OAuthTokenIssuer. This means that if your current certificate expires at 10/26/2012 2:36 PM, you must set the -EffectiveDate parameter for the OAuth certificate no later than 10/25/2012 2:35 PM.

Our intrepid admin might ask—“Why can’t I just stage any Edge service certificate?” Actually, you can by using the same -Roll parameter, and adjusting the certificate –Type to match the purpose. But, in our scenario our administrator was interested in the AudioVideoAuthentication, given the upcoming shareholder’s meeting. Any interruption in audio or video token creation or certificate validity, results in the loss of client audio and video streams.

Summary

Minimizing and eliminating interruption for your users – regardless if it’s the CEO and CFO or not – should always be a goal. The –Roll feature combined with the –EffectiveDate parameter for the A/V Edge service and OAuthTokenIssuer certificates (as well as the Access Proxy certificate and the Web Conferencing certificate) allows you to better manage your Edge Server certificates and be more proactive about the pending expiration of infrastructure and service certificates.

Additional Information

To learn more, check out the following articles:

Lync Server Resources

We Want to Hear from You

Keywords: certificate, audio, video, edge, roll, effectivedate, oauth