Lync 2010 Edge Certificates expiring. What does it look like?

I was at home and logging into my Surface Pro 2 and my desktop Lync client was not signing in - but also not coming back with any errors. On further investigation the event log had the following error:



We are running Lync Sever 2010 but I am running Lync 2013 (Office Pro Plus) as my client. Lync Server 2010 has never had that DNS name so I knew that the problem was different to what the event log was showing. As I was external (Direct Access on the laptop but as per best practice Lync runs outside the VPN) the first place to look was the Lync Edge server.

Logging onto the Edge server the first place to look is the event log and the following was a glaring problem:



As there had been no DNS, Firewall or Proxy changes that only left credentials. I connected into the Front End server and the following two errors give some big clues:


 

So it appears that a certificate has expired (as a side note we use the DigiCert Discovery Tool - you need a DigiCert account - to check for any certificates on the estate that are going to expire, the reason that this one was not picked up was because even thought we where scanning the Edge server we were not checking port 4443 this has now been added as a change) Anyway, checking the certs on the Edge Server with the command Get-CSCertitificate gave the following:



Both Internal and AudioVideoAuthentication have expired, next checking the certificates in the computer personal store we can see the following:

 


This is showing two certificates that have expired and ties into what PowerShell is telling us (for a good pointer of what you need on the Edge check Jeff Schertz's Blog: http://blog.schertz.name/2012/07/lync-edge-server-best-practices/).

So, simple fix. Renew the certificates using the Enterprise CA and then assign (I’m not going to document how as again Jeff has done a great job of this here: http://blog.schertz.name/2012/01/simple-certificate-requests-in-lync/).

While I was here I thought I might as well tidy up the old Root CA that the Edge Server had imported so deleted that - the new certificates don’t use it so what’s the harm........

.........This proved to be a mistake, even though the Edge server didn’t host any certificates that needed the old Root CA there were some certificates on the Front End servers that couldn’t be verified as they had been signed by the previous Root CA certificate, this can be seen here:

Simply downloading the old Root CA Cert from the Enterprise Root CA (https://<certsrv>/certcarc.asp) and importing it into the Edge server made the certificates being presented by the Front End servers immediately valid and my remote Lync Client could finally login!

My lesson learned, don’t “tidy” until you have fixed the underlying problem!