Download and deploy Skype for Business certificates using PowerShell


If you want to connect the Surface Hub to an on-premises deployment of Skype for Business, you will first need to deploy the certificate chain used for the TLS encryption between the device and the server. If you are connecting to Office 365, this step will not be necessary as the Office 365 environment is using publicly trusted certificates and the certificate chains for these certificates are already populated on the device. When you look into deploying the certificates, make sure you have all necessary certificates for the Surface Hub in the same package. Here is an example of how to retrieve the certificates using PowerShell that was used for reference.

  • Save the following lines as script.ps1 on your Desktop:
    # // first argument is mapped to $url
    param($url)
    
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    [System.Uri] $u = New-Object System.Uri($url)
    [Net.ServicePoint] $sp = [Net.ServicePointManager]::FindServicePoint($u)
    [System.Guid] $groupName = [System.Guid]::NewGuid()
    
    # // create a request
    [Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
    $req.Method = "GET"
    $req.Timeout = 600000 # = 10 minutes
    $req.ConnectionGroupName = $groupName
    
    # // Set if you need a username/password to access the resource
    #$req.Credentials = New-Object Net.NetworkCredential("username", "password")
    
    [Net.HttpWebResponse] $result = $req.GetResponse()
    $sp.CloseConnectionGroup($groupName)
    $fullPathIncFileName = $MyInvocation.MyCommand.Definition
    $currentScriptName = $MyInvocation.MyCommand.Name
    $currentExecutingPath = $fullPathIncFileName.Replace($currentScriptName, "")
    $outfilename = $currentExecutingPath + "Export.cer"
    [System.Byte[]] $data = $sp.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
    [System.IO.File]::WriteAllBytes($outfilename, $data)
    Write-Host $outfilename

    Note - We left out the last line in the original script, as we don't need to add the certificates on the machine where we are running the script. We will package the certificates up and deploy them on the Surface Hub.

  • Start PowerShell As Administrator and navigate to the path where you saved the PowerShell script and run the following command:
    .\script.ps1 https://lyncdiscoverinternal.yoursipdomain.com
    Note - make sure you put https:// in front of the lyncdiscover record,
    otherwise the script will fail
  • The script will save the certificate chain (Export.cer) to the same location where the script is located (Desktop)
  • Open the certificate chain and go to "Certification path"
    1
  • You will need to export the root and intermediate (if there is one) certificates and save them locally. Please note that the server certificate does not need to be saved, just the certificates above it, in the chain
  • Double click the certificate you want to save, go to Details, and select "Copy to File"
  • Select DER encoding (.CER)
    2
  • Once you saved the certificates locally, create the Provisioning package using Imaging and Configuration Designer (see the admin guide for more details)
  • The Root CA goes into RootCertificates, and the Intermediate CA goes into CACertificates
    3
    Note - All certificates that are part of the chain need to go into one package
  • Build the package and deploy it to the device

Note: Before deploying the new package to the Hub, make sure you first remove the packages that were installed for this same purpose. After the old packages are removed, reboot the device. Install the new package containing the correct certificates, then reboot the device again.

Comments (0)

Skip to main content