SBM powered by Microsoft Lync Administrator's Guide 2010-11
A-47
Ready the Data Center for an SBM Deployment
Ready a Certificate for the SBM
Whether you generate the certificate/private key file on your own Windows
CA or obtain it from a third-party CA, the certificate must meet these criteria:
■ Generated with the Web Server template or provides the same key and
extended usages as this template:
• Key usages: digitalSignature, keyEncipherment
• Extended key usages: serverAuth
■ Follows these guidelines for the subject name:
• The subject name is a distinguished name (DN) in which the SBM’s
FQDN is the common name (CN).
This FQDN must match the one that the Lync Server engineers are
using for the SBM. The DN can include other components such as the
organization, locality, and so forth.
Table A-2. Certificate Information Fields
• The subject alternate name (SAN) is the SBM’s FQDN. If the SBM can
be contacted at more than one FQDN, those FQDNs are also listed as
subject alternate names.
■ Includes an exportable private key (which should be protected with a
strong password)
Caution If the private key is not explicitly marked as exportable, the installation will
fail. The Media Gateway will not be able to start.
If the subject name does not meet the requirements listed, the installation will
fail. The Lync services will fail to start.
SBM Administrator Creates and Submits a Request
This option has the security advantage that the private key is generated on the
SBM and never leaves it. In addition, the SBM installer does not require any
special domain permissions to generate the request. This option does, how-
ever, leave it up to the SBM administrator to enter the correct information for
Components of the
DN
Format in Subject Name Example Name
Organizational unit OU=<value in field> CN=hp-sbm.example.hp.com,OU=Branch,
C=AR,S=Buenos Aires D.F.,L=Buenos
Aires
Country C=<selected country>
State/Province S=<value in field>
City/Location L=<value in field>