I recently been asked about the certificate requirements for deploying Lync 2013 Persistent chat enterprise pool version which requires dedicated servers to be installed in the Lync environment as part of a Persistent Chat pool.
following Microsoft guidance and checklist and requirements for Persistent Chat installation, I wasn’t able to find any real guidance for the Certificate requirements, especially not like there is for the other Lync Internal servers in the “Certificate Requirements for Internal Servers” guide.
Microsoft did published the following notes on “Certificate Requirements for Persistent Chat Server”:
To install Persistent Chat Server, you must have a certificate issued by the same CA as the one used by Lync Server 2013 internal servers for each server running the Persistent Chat Web Services for File Upload/Download. Make sure that you have the required certificate(s) before you start the Persistent Chat installation, especially if you are using an external CA.
Unfortunately, it does not shed any light upon the actual requirements for the Subject or SAN names which are required, especially as the Lync 2010 Group Chat required different certificates for the TLS negotiation and for the IIS.
Fortunately, Microsoft were kind enough to alert us on the Lync Event Viewer for any TLS negotiation that fails between the Lync Front Ends server and the Persistent Chat servers. That way, in case of getting a certificate with a wrong name on the subject, an alert will be trigger.
The Persistent Chat server can not establish or maintain MTLS connection to the Lync Server.
Error code: -2146233088
Cause: This problem is usually caused by an invalid MTLS certificate configured on the Persistent Chat Server or Lync Server.
Review certificate related sections in Persistent Chat Planning and Deployment Guide. Ensure the MTLS certificates configured on the Persistent Chat Server and Lync Server are valid.
As for the actual requirement, in case of deploying Lync 2013 Persistent Chat as a separate enterprise pool, the requirement is to have the FQDN of the pool to be used as the Subject name with no SAN required (that will resolve the event viewer error displayed in case of wrong subject name)
Where to define the type of Persistent Chat pool: