A Lync 2013 Edge server is using external, 3rd party certificates for authentication and encryption of data for federation purposes and external clients connecting to the Lync 2013 environment. I’m using Digicert certificates for this since these work fine in almost all situations.
So I got a message from Digicert to renew my certificate, which I did. Renewed the certificate, same Common Name (CN=access.exchangelabs.nl) and the same Subject Alternative Names entries. The order of the SAN entries was different and so was the Friendly Name of the certificate but this should not cause any problem.
After replacing the certificate on the Lync 2013 Edge server the Lync clients on Windows PC’s were able to successfully login, but the Polycom CX600 failed to login with the following error:
“Sign-in Error. Cannot download certificate because domain is not accessible. If the problem continues, contact your support team”
System Information on the Polycom showed Last Update Status: (0x2ee7/0) which typically means the device cannot download any updates.
After putting back the original SSL certificate (I had four week left before expiration 😉 everything works as expected.
After checking both SSL certificates in the Lync Deployment Wizard I noticed that the old certificate was issued by another Intermediate Certificate than the new certificate.
I went back to Digicert Support and they reissued the certificate for me using the same Intermediate certificate as the original certificate. Imported this new certificate on the Lync Edge server and now everything works as expected.
Update: In July 2014 Digicert made some changes to their Intermediate certificates and I ran into this issue again. An upgrade of the Lync Phone Edition software solved the issue this time. More information regarding Lync Phone Edition Updates on an earlier blogpost http://www.jaapwesselius.com/2013/02/22/lync-phone-edition-updates/