Are you getting problems starting your Edge service role ?
Is your Edge service going crazy about the certificate being not accessible ?
Do you get this dreaded error message from Event ID: 14591
Error 0xC3FC7D95 (LC_E_VALIDATION_CERT_NO_KEYEXCHANGE)
Cause: The certificate may have been deleted or may be invalid, or permissions are not set correctly.
Fear not, you are not alone, after banging my head against the wall for a few days, rebuilding the Edge server from scratch, and trying out a bunch of different certificate templates; I have finally found the solution…
Although Microsoft Windows is happy with many types of Crypto Providers; alas, Lync on the other hand, only likes the "Microsoft RSA SChannel Cryptographic Provider"
Next time you want to issue a certificate, make sure you choose the "Microsoft RSA SChannel Cryptographic Provider"
To make this more informative, I have added below the certificate template options that should be used for generating Lync certificates…
- Don’t select to publish to AD, as Lync Edge can not access the AD and is not authorized to do so:
- Choose the Purpose to be "Signature & Encryption" and allow "Private Key to be Exported"
- Choose only the "Microsoft RSA SChannel Cryptographic Provider"
- Choose the Application Policies to be "Server Authentication"
- Choose the Key Usage to be "Allow key exchange only with key encryption"