Symptom: Users may see (if they are paying close attention) a warning that their certificate will expire soon. The quick user will double-click the pop-up for the warning and will see a message like this one:
The Title is: Expiring Certificates
The following certificates have expired or will expire soon. When a certificate expires, it is no longer considered an acceptable or usable credential. You can attempt to renew these certificates now.
If you do not want to renew certificates at this time, Windows will remind you of their pending expiration each time you log on.
If you do not want to be reminded to renew specific user certificates, select the checkbox next to these certificates and click Done. For machine certificates, please read help and contact a system administrator if this warning reappears the next time you log onto the network.
User Action: The user panics and calls the help desk. The help desk doesn’t have a clue because they don’t even understand certificates. The help desk escalates to the Lync administrator. The Lync administrator may or may not know about this issue. If it is a VIP, it may result in a conference call with all of the managers involved.
Cause: The Lync Front-End server issues a certificate to the end user (if you look at the cert is will show that it is issued by Communications Server), and that certificate is installed in the Personal certificate store. This certificate is NOT issued by the company’s Certificate Authority, it is issue by the Lync environment. This certificate is, by default, set to expire in 180 days. When the certificate is close to expiration, a pop-up is generated to warn the user that the certificate is about to expire so that action can be taken.
Why Certificates?: Great question, and I can’t come close to explaining this as well as the Microsoft product team does in the NextHop blog entry here.
What to do?: Nothing. Absolutely nothing needs to be done. When the certificate expires, it is renewed and users will not have any Lync connectivity issues. If you absolutely feel that something needs to be done, or you are asked for options, you can consider the following:
- Put out a message to all the users telling them that they “may” see this a couple of times a year and that they can safely ignore it. Of course, users will ignore the communication or will have forgotten about it and will still call the help desk.
- Write a PowerShell script that uses the Get-CsClientCertificate cmdlet to find those certificates about to expire, then use the Revoke-CsClientCertificate cmdlet to remove the certificates. Once the user logs back in, a new certificate will be created and applied. This seems like too much work to me.
- Use the Set-CsWebServiceConfiguration cmdlet to extend the validity period of the certificate to the maximum of 365 days. Yeah, this is not worth the effort, either.
- Configure a Group Policy object and disable the notifications. You can go here: HKLM\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client – Auto Enrollment. Hopefully, this will work for you.