Skype Room Systems

Skype Room Systems – Add internal certs with ease

When using a Skype Room System, by default they are not part of the domain.  And this is only a problem if you SfB deployment is on-premise.  If you don’t want to join them to the domain (or if you don’t push down your internal PKI), you will need to install the certificate chain(s) manually.  This is not that tricky. There are a few steps in this

  1. Export each key from the Trusted Root Certification and the Intermediate Certification
  2. Add the data to the attached script file
  3. Import the script file

Export the Certificates.

Being that you are reading this, you know what certificate in the chain you need to export.  But these are the certs used by your front end and load balancers.  Basically any cert chain that is not publicly signed you need to import, including edge.  This is how I get the certificate chain I need

  1. Launch certlm (Local Computer certificate manager)
  2. Expand down to Intermediate Certification Authorities
  3. Open the intermediate Cert
  4. Under Details choose Copy to File
  5. Export it as Base-64 encoded x.509 (.CER)
  6. Go to the Certification Path on that same intermediate cert
  7. Open the next one up in the chain (if there is one)
  8. Go to Details and Export that cert just like above

When building the script, the trick is to remember that the root cert(s) have to be imported first, then the intermediate.  In Powershell to create a long string (a simple explination), you use the $var= @”xxxxx”@  So for example your root may look like this

I use domainroot, domainint as variables, you can call them whatever you like.

$domainroot = @"
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIQAvGR+dU9uLZFtYAsR6pYoTANBgkqhkiG9w0BAQUFADAZesXvmWzdd1TWc1GB3drAys9DVGvvRJ0x+JK0
-----END CERTIFICATE-----
"@

Now you will have several pairs like this.  Here is an example of a few root and intermediate pairs

$DomainROOT = @"
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIQAvGR+dU9uLZFtYAsR6pYoTANBgkqhkiG9w0BAQUFADAZ
sm9BHNpBQHNI/v5IAj6SC98xWUBviBHMSeDwdBFUMQkLUBuTkwqIEsN6e+n7h1ux
esXvmWzdd1TWc1GB3drAys9DVGvvRJ0x+JK0
-----END CERTIFICATE-----
"@
$DomainINT= @"
-----BEGIN CERTIFICATE-----
MIIGzzCCBLegAwIBAgITZgAAAAUSHwMEMwW70AAAAAAABTANBgkqhkiG9w0BAQUF
V6hHsAE4jeV91wL2jCyTb25H5w==
-----END CERTIFICATE-----
"@
$DomainNEWROOT = "@
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIQGkB+YHlCW6tEjvGe81wC1jANBgkqhkiG9w0BAQsFADAa
2nAy4BsSTWFbV0UgHUfiOlCqkA==
-----END CERTIFICATE-----
@"
$DomainNEWINT = @"
-----BEGIN CERTIFICATE-----
MIIEqzCCA5OgAwIBAgITYQAAAAJKfuORySYyrgAAAAAAAjANBgkqhkiG9w0BAQsF
8iL1Xqbpgac3EPqMGgcB5WaZZNJOwao4WG4X1Kpj1YGJcwel/0l650XmRgQBNeg=
-----END CERTIFICATE-----
"@
$DIGIROOT = @"
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
"@
$DIGIINT = @"
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
"@

Now then we need to import the certificate chain.  Remember that you have to import roots before intermediate.

This process basically takes the array string, exports it to a file and then imports it back in as a cert.  It’s not too tricky, again make sure you get your export and import order right

#Create the Temprary file object
$DomainROOTFILE = New-TemporaryFile
$DomainINTFILE = New-TemporaryFile
$DomainNEWROOTFILE = New-TemporaryFile
$DomainNEWINTFILE = New-TemporaryFile
$DIGIROOTFILE = New-TemporaryFile
$DIGIINTFILE = New-TemporaryFile

#Export the the certs to the files
$DomainROOT | out-file $DomainROOTFILE -Encoding ascii
$DomainINT | out-file $DomainINTFILE -Encoding ascii
$DomainNEWROOT | out-file $DomainNEWROOTFILE -Encoding ascii
$DomainNEWINT | out-file $DomainNEWINTFILE -Encoding ascii
$DIGIROOT | out-file $DIGIROOTFILE -Encoding ascii
$DIGIINT | out-file $DIGIINTFILE -Encoding ascii

#Set the Cert Locations
$RootStore="Cert:\localmachine\AuthRoot"
$Intermediate="Cert:\localmachine\CA"

#Import The Certs
$DomainROOTFILE | Import-Certificate -CertStoreLocation $RootStore
$DomainINTFILE | Import-Certificate -CertStoreLocation $RootStore
$DomainNEWROOTFILE | Import-Certificate -CertStoreLocation $RootStore
$DomainNEWINTFILE | Import-Certificate -CertStoreLocation $Intermediate
$DIGIROOTFILE | Import-Certificate -CertStoreLocation $Intermediate
$DIGIINTFILE | Import-Certificate -CertStoreLocation $Intermediate
  1. Save the file as a PowerShell script for example importcerts.ps1.  and copy it to the Skype Room System (most likely via USB).
  2. On the Skype Room System open PowerShell with elevated permissions (run as administrator)
  3. run the command Set-ExecutionPolicy -ExecutionPolicy Unrestricted, this will allow you to run the script.
  4. Execute the script.
  5. You will need to reboot for the certs to be “active”