Lync Edge Certificate Issues

Are you getting problems starting your Edge service role ?

Is your Edge service going crazy about the certificate being not accessible ?

Do you get this dreaded error message from Event ID: 14591

Event ID: 14591

Error 0xC3FC7D95 (LC_E_VALIDATION_CERT_NO_KEYEXCHANGE)

Cause: The certificate may have been deleted or may be invalid, or permissions are not set correctly.

Fear not, you are not alone, after banging my head against the wall for a few days, rebuilding the Edge server from scratch, and trying out a bunch of different certificate templates; I have finally found the solution…

Although Microsoft Windows is happy with many types of Crypto Providers; alas, Lync on the other hand, only likes the "Microsoft RSA SChannel Cryptographic Provider"

Next time you want to issue a certificate, make sure you choose the "Microsoft RSA SChannel Cryptographic Provider"

To make this more informative, I have added below the certificate template options that should be used for generating Lync certificates…

  • Don’t select to publish to AD, as Lync Edge can not access the AD and is not authorized to do so: 

Template - General Tab

  • Choose the Purpose to be "Signature & Encryption" and allow "Private Key to be Exported"

Template - Request Handling Tab

  • Choose only the "Microsoft RSA SChannel Cryptographic Provider"

Template - CSP Selection

  • Choose the Application Policies to be "Server Authentication"

Template - Extensions Tab

  • Choose the Key Usage to be "Allow key exchange only with key encryption"

Template - Extensions Tab