When using a Skype Room System, by default they are not part of the domain. And this is only a problem if you SfB deployment is on-premise. If you don’t want to join them to the domain (or if you don’t push down your internal PKI), you will need to install the certificate chain(s) manually. This is not that tricky. There are a few steps in this
- Export each key from the Trusted Root Certification and the Intermediate Certification
- Add the data to the attached script file
- Import the script file
Export the Certificates.
Being that you are reading this, you know what certificate in the chain you need to export. But these are the certs used by your front end and load balancers. Basically any cert chain that is not publicly signed you need to import, including edge. This is how I get the certificate chain I need
- Launch certlm (Local Computer certificate manager)
- Expand down to Intermediate Certification Authorities
- Open the intermediate Cert
- Under Details choose Copy to File
- Export it as Base-64 encoded x.509 (.CER)
- Go to the Certification Path on that same intermediate cert
- Open the next one up in the chain (if there is one)
- Go to Details and Export that cert just like above
When building the script, the trick is to remember that the root cert(s) have to be imported first, then the intermediate. In Powershell to create a long string (a simple explination), you use the $var= @”xxxxx”@ So for example your root may look like this
I use domainroot, domainint as variables, you can call them whatever you like.
Now you will have several pairs like this. Here is an example of a few root and intermediate pairs
Now then we need to import the certificate chain. Remember that you have to import roots before intermediate.
This process basically takes the array string, exports it to a file and then imports it back in as a cert. It’s not too tricky, again make sure you get your export and import order right
- Save the file as a PowerShell script for example importcerts.ps1. and copy it to the Skype Room System (most likely via USB).
- On the Skype Room System open PowerShell with elevated permissions (run as administrator)
- run the command Set-ExecutionPolicy -ExecutionPolicy Unrestricted, this will allow you to run the script.
- Execute the script.
- You will need to reboot for the certs to be “active”