Scenario:
Its time to replace your Skype for Business certificates on your Front End Pools because they are expiring or you have encountered new requirements for your certificates. You make your request and get a new certificate back and believe it has been installed correctly. However you start seeing the following errors: Invalid incoming HTTPS certificate.
Subject Name: SkypeFE1.domain.com Issuer: RapidSSL SHA256 CA
Cause: This can happen if the HTTPS certificate has expired, or is untrusted. The certificate serial number is attached for reference.
Resolution:
Please check the remote server and ensure that the certificate is valid. Also ensure that the full certificate chain of the Issuer is present in the local machine.
This error is repeated every minute. You will also see the following error as well and possible more frequently:
EventID 47067
A server did not respond to HTTP request
Server SkypeFE01.domain.com did not respond to HTTP request LookupUserRequest targeted at https://SkypeFE01.domain.com:444/LiveServer/UserPinService.
Cause: Server might be down or the network path between servers might not be properly configured.
Resolution:
Please ensure that the server can be connected on the target port using telnet and then re-try.
This error is repeated every minute.
Cause:
When importing the certificate to the Front-End Certificate, it is accompanied with both a Root Certificate and and Intermediate Certificate. This is now common practice for all certificates. Some providers have two intermediary certs and a root cert. It is important that these certs are place into the correct certificate stores. The import process generally puts them into the Personal store of the server you are working on. Its up to you to move the Root and Intermediate Certificate to the appropriate stores.
Corrective Action:
If you open the certificate you just imported and go to the certificate path you will see important information about the certificate. The top most listed certificate is the Root Certificate. This certificate belongs in the Third-Party Root Certification Authorities Store. Find the corresponding cert in the Personal Store and move it there. The second certificate listed is an intermediate certificate and as such belongs in the Intermediate Certification Authorities Store. Move the corresponding certificate to this store. Once done, reboot the server and the errors should go away.
For help identifying misplaced root and intermediary certificates run the following powershell cmdlet:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"
This will output any certificate that doesn’t match the strict requirements of being in the Trusted Root Certification Authorities store. I would recommend running this from time to time to ensure you haven’t inadvertently placed a certificate in this store that shouldn’t belong there. If you find any you can manually move them to the correct location.
Fellow Skype for Business MVP and PowerShell Ninja Pat Richard has a script that nicely automates both the searching for and moving of improperly placed certificates to their correct location. You can find out more about that script and download it over at UC Unleashed “Function: Test-InvalidCerts – Ensuring Certificates Are In The Correct Certificate Store”