Create Internal Certificate

Because the SfB Front End server is joined to the domain then it is an ideal host to perform
online certificate requests to the AD-integrated Enterprise CA.

Download, install and launch the DigiCert tool on the SfB Front End server.

Fill out the Certificate Details field as appropriate for the Edge Server Internal
certificate. The Common Name field should be the FQDN of the Edge Server (e.g.
edge.jdskype.net) and the Subject Alternative Name (SAN) should be blank.

Generate the request and then save the request data to a text file on the local server (e.g.
C:\Temp\edge_internal.txt).
 On the same Front End server launch either the Windows Command Prompt or
PowerShell as an administrator and then issue the following certreq.exe command.
Supply the name of the text file saved in the previous step which contains the certificate
request information and then enter the name of the new certificate file itself to be created
(e.g. edge_internal.cer).

certreq -submit -attrib certificatetemplate:WebServer

edge_internal.txt edge_internal.cer

When prompted to select a Certificate Authority highlight the desired CA (in this
environment there is only a single Enterprise Root CA).

Select OK and if the process is successful the end result should be reported as Issued.
 Use the Import option in the certificate tool to import the issued certificate file (e.g.
edge_internal.cer) into the server.

Enter a descriptive Friendly Name (e.g. Edge Internal Cert) to complete the
certificate creation process.

Return to the main SSL window of the utility and highlight the newly imported certificate
(e.g. edge.jdskype.net) and then click Export Certificate.

Make sure to select the options to Export the Private Key and to Include all
certificates in the certification path.
These options are critical as without the private key this certificate is useless to the Edge server.
Also the issuing Root CAs public key needs to be manually imported into the Edge server
because it is not a member of the AD domain and has not automatically been provided these root
certificates. These options will address both of those requirements.

Define a password (e.g. password) to protect the export file which will contain the
certificates private key. This step is mandatory and cannot be skipped.

Choose a location and filename to save the exported certificate (e.g.

C:\Temp\edge_jdskype_net.pfx). (This file will be retrieved in a later
deployment step.)

Create External Certificate

Now that the internal certificate for the Edge Server is ready a second certificate needs to be
created for the external interface. Typically this request is sent to a third-party Certificate
Authority and the process above can be used to do that. Instead of running the certreq.exe
command simple copy/paste the request text into the request field of whatever CA is used.

Repeat all the steps above in this section to request, import, and then export the Edge
Server external certificate. The only configuration difference is that the Common Name
will need to be set to the Edge Server External FQDN that was defined (e.g.
sipexternal_jdskype_net.pfx).
Now that all the server and environment preparation steps have been completed then the final
processes of actually installing and configuring the Edge Server roles can begin.

Copy Files

The exported files created in the previous certificate topology and certificate preparation steps
need to be manually copied from the Front End server to the Edge server.

On the SfB Front End server locate the topology export file (e.g. C:\Temp\topo.zip)
and the two exported certificate packages (e.g. C:\Temp\edge_jdskype_net.pfx
& C:\Temp\sipexternal_jdskype_net.pfx).
 Copy these three files to the Edge Server to prepare for deployment and configuration
steps in the next section.