One of the things I love most about working with Skype for Business and Microsoft UC is how much the platform bleeds into other technologies and products. The net result is that in addition to being subject matter experts, consultants are often very well versed in multiple disciplines and possess an extremely well rounded skill set. Whilst browsing the TechNet forums recently, I saw a post asking for guidance around extending the validity of Lync / Skype for Business certificates beyond the default setting of what is typically two years (environment depending of course). By the book this is in the skill set of an MCSE Server Infrastructure qualification; it’s a certificate authority configuration query, and the question could just have easily been around extending Exchange certificates rather than Skype for Business. But like I said… well rounded…
When a certificate authority (CA) generates an SSL certificate, the validity period (number of years a certificate is valid for) is dictated by four golden values. It’s the lowest of these values that takes precedence and thereby determines the validity period of the certificate:
1.) A certificate authority cannot issue a certificate with a validity period longer than what remains on it’s own root certificate. That is to say that if your root certificate only has 3 years remaining on it, then you will not be able to issue a certificate from that authority with a validity period of 5 years. You wont be prevented from generating the certificate, it will just have the validity period reduced accordingly.
2.) The template being used to generate the certificate has a predefined validity period associated to it. Unless you specify otherwise, in the Skype for Business world our certificates are generated using the web server certificate template. This template has a validity period of 2 years by default.
3.) Certificate requests (CSR’s) can be generated through a number of different methods. Some of these methods allow you to specify the validity period in the request itself, which in turn is honoured by the certificate authority when processing the certificate request. With Skype for Business we don’t typically worry about this, as the certificate wizard we use to generate and assign our certificates doesn’t have the ability to specify the validity period.
4.) The validity period registry setting on a certificate authority server is also pre-configured with a value of 2 years. Unless changed, this setting means that regardless of what template is used, and whatever might exist in the CSR, the certificate authority itself will never issue a certificate with a validity period of greater than 2 years.
So with the four golden rules freshly etched into our prefrontal cortex (the part of the brain that handles short term memory), we need to do a couple things if we want to extend the validity period of our Skype for Business SSL certificates.
– Update the certificate authority registry
– Create a new certificate template with an extended validity period
– Request and assign Skype for Business certificates based on our new template
Update Certificate Authority Registry
You can review and change the validity period registry setting on a certificate authority through PowerShell. The below screen shot contains everything we need to do this:
First we confirm that our validity period is being measured in years (default)
certutil -getreg cavalidityperiod
Then we check to see what the current validity period is (2 years by default)
certutil -getreg cavalidityperiodunits
Next we increase this value to the desired number of years (5 years in my case)
certutil -setreg cavalidityperiodunits 5
Finally we need to restart the certificate service on the CA itself
restart-service -name certsvc
That’s takes care of number 4 on our golden rules list. Remember that this isn’t specific to Skype for Business, and in making this change you’re allowing the CA to issue longer certificates regardless of template or purpose.
Create a New Certificate Template
Golden rule 2 stated that the web server template we use for our Skype for Business certificates has a predefined validity period of 2 years. We’re going to create a new certificate template based on the web server template, and change just the name and validity period values. This way all other certificate configuration options remain the same and we shouldn’t have any problems. Here’s how we create our new template…
2.) When the certificate templates console appears, scroll down and locate the web server template. Right click the web server template and select ‘duplicate’ to bring up the ‘new template properties’. From here we simply update the validity period and template name on the general tab and click OK once complete. The template should now be listed under its new name in the certificate templates console. (Its ok for the schema version of the new template to differ from the existing web server template version).
3.) Finally we need to issue the template. Close the certificate templates console if its still open so that we’re left with just the certificates snap-in again. Right click on the certificate templates folder in the left pane and select New > Certificate Template to Issue. Select your newly created template from the list that appears and click OK.
Request and Assign Skype for Business Certificates
At this point we’re good to go ahead and generate new certificates based on our extended template. I’m not going to run through the Skype for Business certificate wizard as I’m sure that’s familiar territory, but just two points of note;
1.) When you launch the certificate request wizard, you’ll need to hit the ‘advanced’ button in order to specify an alternate certificate template. If you don’t go through the advanced options then your certificate request will be based on the last used template, which will most likely be the default web server template (2 year validity).
2.) If you named your new template with spaces in the display name then that’s fine. However the CA would have automatically removed these in order to give it a valid short name. In my example my template display name is “Web Server (Extended)” which was automatically given a short name of “WebServer(Extended)”. It’s the short name you need to use in the certificate wizard when specifying your alternate template.
Finally, it’s also worth mentioning that default validity periods are considered healthy time frames for renewal of certificates for security reasons, and that the necessary due diligence should be performed in advance of making these types of changes… that’s it!