SHA512 certificates preventing RTCSRV from starting

Hi All

just a quick note about SHA512 certificates and their effect on Lync Server 2013 and Skype for Business 2015. If your Certificate Authority issues certificate with a SHA512 signature hash algorithm (which is where a lot of organisations are now moving to *from sha1*), there is a problem with using these certificates on Windows Server 2012 R2 (and Windows Server 2012, and 2008 R2) if you do not have a particular hotfix installed.

When you try to start a on premises Front End Pool for Skype for Business 2015 or Lync Server 2013 you'll start seeing these errors in the System Event log.

This issue happens when the Pool certificate you are using has a Signature hash algorithm of sha512RSA

The good news is the fix is easy, go and install the hotfix from https://support.microsoft.com/kb/2975719. So if you hit this go and install the hotfix. 

Interestingly, the first server in a Front End Pool appears to successfully start the RTCSRV service, it's just the 2nd+ servers attempting to start the RTCSRV service that fails. The key is check if you have sha512 certs, and if you are getting the Schannel errors.

 

Happy Skype/Lync'ing.

Steve