CNG Certificates and Lync/ TMG

#en, #lync, #skype4b edit this page

The other day I had a problem assigning certificates to a Lync 2013 Edge Server, today I had the same thing with TMG 2010. Here’s a quick summary, and the solution ;)

Problem

I tried to assign an existing certificate to a Lync Edge Server. It did not work using the Deployment Wizard, I tried the PowerShell command and it didn’t work, either.

Every time I tried to “Set-CsCertificate” I would get the following error:

„Set-CsCertificate: Command execution failed: The buffer supplied to a Function was too small.”

Kind of the same thing happened with TMG Server, I tried to assign a certificate to a Web Listener and it would not show up in the Wizard. When I unchecked the “Show only valid Certificates” checkbox, the certificate in question would show with an Error saying:

“Incorrect Key Type”

Solution

The solution is to export the certificate, including private key, to a .pfx file. Copy the .pfx file to some workstation with Firefox installed and import the certificate in Firefox.

image

Now use Firefox to “backup” the certificate, this will create a .p12 file, again containing the private key. Copy the .p12 file back to the Server delete the existing certificate and then import the .p12 file using MMC Certificates.

Warning: Before deleting the certificate from the Server, make sure you have a working backup (like the .pfx file) or you will have to get a new one.

Try to assign the Certificate to a Lync Service or a TMG Web Listener and enjoy.

I realize that this sounds pretty silly at first, if you want more detail, keep on reading :)

Background

If you are still reading, there is a little more information for you. The certificates in question were using something called “Cryptography Next Generation”, which seems to be some new set of APIs that was introduced in Windows Vista and Server 2008. When creating a custom certificate request, one can select the “Template” to use, this is not the certificate template, but the “Crypto Provider” if you will.

clip_image001

The certificates that I mentioned, have all been requested using the CNG Template. Importing/ Exporting them in Firefox seems to fix this, maybe because Firefox prefers CAPI over CNG? If you have any information on this topic, please leave a comment.

More info on Crypto Next Generation is available on TechNet: http://technet.microsoft.com/en-us/library/cc730763(WS.10).aspx

Cheers,
tom