I am trying to renew the O-Auth Certificate from one of the Front-end Server and I am facing some issues with it.
When using Lync Server 2013 deployment wizard to request O-Auth Certificate from Internal CA, the process goes well but at the end, the current certificate is not updated.
I can see the same certificate is replicated to other FEs (which is default behavior), it fails to apply to other FEs as well. I can see the following event logs in every FE's.
The replication of certificates from the central management store to the local machine failed due to a problem with certificate processing or installation on the local machine Microsoft Lync Server 2013, Replica Replicator Agent will continuously attempt
to retry the replication. While this condition persists, the certificates on the local machine will not be updated.
Exception: System.Security.Cryptography.CryptographicException: Access is denied.
at System.Security.Cryptography.X509Certificates.X509Store.RemoveCertificateFromStore(SafeCertStoreHandle safeCertStoreHandle, SafeCertContextHandle safeCertContext)
at Microsoft.Rtc.Management.Common.Certificates.CertUtils.AddCertificateToStore(X509Certificate2 cert, StoreName storeName, IManagementReporter reporter)
at Microsoft.Rtc.Management.Deployment.Core.Certificate.ImportFromPinnedArray(PinnedByteArray pfx, Boolean allowSelfSigned)
at Microsoft.Rtc.Management.Deployment.Core.Certificate.ReplicateCMSCertificates(IScopeAnchor scope)
at Microsoft.Rtc.Internal.Tools.Bootstrapper.Bootstrapper.ReplicateCMSCertificates().
Cause: The certificate provisioned in the central management store is invalid or cannot be handled on the local machine.
Resolution:
Ensure that certificates provisioned in the central management store are valid, have all needed issuer certificates included or installed on the local machine, and can be used with cryptographic providers available on the local machine.
I have checked the replication status and Replication is true.
Has anyone came across with similar situation.
I have read from another thread that this is due to the Root CA with private key. I have checked the server and I can see the Root CA with Private key. How can I remove private key from the Root CA only on the Lync Servers.
Any help will be greatly appreciated.
I had a similar issue. Turned out the CA certificate on multiple front end servers certificate stores had a private key! Wrong on so many levels. Deleted all copies of CA cert with private key and copied again without, and then it all worked.