none
Exchange public certificate renewal RRS feed

  • Question

  • Hi,

    We have hybrid exchange environment with ADFS authentication. Our public certificate will expire soon.

    What is the procedure to renew it.

    Is it need a downtime?

    A kind Request for a valuable advice 

     


    Ashraf

    Thursday, November 21, 2019 6:28 AM

Answers

  • Hi   P T Ashraf,
    It’s recommended to click renew in EAC and then contact vendor to extend their validity period, apply it to the correct Exchange services on-prem and then re-run the Hybrid Wizard, choosing the new cert for transport. 

    Regards,

    Eric Yin


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 22, 2019 10:37 AM
  • Hi,

    Version Exchange 2013 (CU22)

    We have successfully updated public certificate for our Hybrid Message environment.Let me list here the steps so that someone will be benefited.

    We already have certificate file with password which we received from security department.Let me explain 

    1. Copied the certificate file to CAS and Mailbox Server

    2. Imported the certificate to each server by installation method. (The certificate type should be machine)

    3. Get the thumbprint of new certificate  using the command get-exchangecertificate 

    4. Enable the new certificate for IIS service using below command.

     Enable-Exchangecertificate -thumbprint "11111111111" -services "IIS".

    5.Verify the bind settings in IIS manager for new certificate .

    6. Update the Certificate in ADFS servers

    7. Update the Azure about the new certificate change using the below command

    Update-MsolFederatedDomain -DomainName <domain>

    8. Update the ADFS configuration in exchange for the new certificate using below command

    Set-OrganizationConfig -AdfsSignCertificateThumbprints "<dsadsdsdsads>"

    Restart IIS services in all CAS servers.

    9.Update the LoadBalancer configuration for the new certificate for both internal and external (If you have LB for Email)

    This will finish certificate update for IIS Service.

    Second part is  the certificate for SMTP Service

    1. Enable the new certificate for SMTP service

    Enable-Exchangecertificate -thumbprint "392391239129312939" -services "SMTP".After this ,there might be an receive connector tlscertificatename issue and which can fixed by below command

    1. $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>

    2. $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

    3. Set-ReceiveConnector "CAS-1\Client Frontend CAS-1" -TlsCertificateName $tlscertificatename

    To verify the certificate change, use the below command

    1. openssl s_client -connect smtp-Server:587 -starttls smtp

      If still getting old certificate info,please remove old certificate using the below command

    Remove-ExchangeCertificate -Thumbprint "old-certificate-Thumbprint"

    Run the Hybrid Wizard to reflect the new certificate for Office365 mail flow

    Regards

    Ashraf


    Ashraf

    • Marked as answer by P T Ashraf Monday, December 9, 2019 8:30 AM
    Monday, December 9, 2019 8:30 AM

All replies

  • Hi   P T Ashraf,
    It’s recommended to click renew in EAC and then contact vendor to extend their validity period, apply it to the correct Exchange services on-prem and then re-run the Hybrid Wizard, choosing the new cert for transport. 

    Regards,

    Eric Yin


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 22, 2019 10:37 AM
  •  I’m pleased to know that the information is helpful to you.


    Here I will provide a brief summary of this post so that other forum members could easily find useful information here:
    [Exchange Server > Exchange Server 2013 - Exchange public certificate renewal  — Summary]


    Issue Symptom:
    Certificate in hybrid Exchange environment will expire soon.

    (Possible) Cause:
    Long time since install the certificate

    Solution:

    1. Copied the certificate file to CAS and Mailbox Server

    2. Imported the certificate to each server by installation method. (The certificate type should be machine)

    3. Get the thumbprint of new certificate  using the command get-exchangecertificate 

    4. Enable the new certificate for IIS service using below command.

     Enable-Exchangecertificate -thumbprint "11111111111" -services "IIS".

    5.Verify the bind settings in IIS manager for new certificate .

    6. Update the Certificate in ADFS servers

    7. Update the Azure about the new certificate change using the below command

    Update-MsolFederatedDomain -DomainName <domain>

    8. Update the ADFS configuration in exchange for the new certificate using below command

    Set-OrganizationConfig -AdfsSignCertificateThumbprints "<dsadsdsdsads>"

    Restart IIS services in all CAS servers.

    9.Update the LoadBalancer configuration for the new certificate for both internal and external (If you have LB for Email)

    This will finish certificate update for IIS Service.

    Second part is  the certificate for SMTP Service

    1. Enable the new certificate for SMTP service

    Enable-Exchangecertificate -thumbprint "392391239129312939" -services "SMTP".After this ,there might be an receive connector tlscertificatename issue and which can fixed by below command

    1. $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>

    2. $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

    3. Set-ReceiveConnector "CAS-1\Client Frontend CAS-1" -TlsCertificateName $tlscertificatename

    To verify the certificate change, use the below command

    1. openssl s_client -connect smtp-Server:587 -starttls smtp

      If still getting old certificate info,please remove old certificate using the below command

    Remove-ExchangeCertificate -Thumbprint "old-certificate-Thumbprint"

    Run the Hybrid Wizard to reflect the new certificate for Office365 mail flow




    Thursday, November 28, 2019 10:02 AM
  • Hi,

    Version Exchange 2013 (CU22)

    We have successfully updated public certificate for our Hybrid Message environment.Let me list here the steps so that someone will be benefited.

    We already have certificate file with password which we received from security department.Let me explain 

    1. Copied the certificate file to CAS and Mailbox Server

    2. Imported the certificate to each server by installation method. (The certificate type should be machine)

    3. Get the thumbprint of new certificate  using the command get-exchangecertificate 

    4. Enable the new certificate for IIS service using below command.

     Enable-Exchangecertificate -thumbprint "11111111111" -services "IIS".

    5.Verify the bind settings in IIS manager for new certificate .

    6. Update the Certificate in ADFS servers

    7. Update the Azure about the new certificate change using the below command

    Update-MsolFederatedDomain -DomainName <domain>

    8. Update the ADFS configuration in exchange for the new certificate using below command

    Set-OrganizationConfig -AdfsSignCertificateThumbprints "<dsadsdsdsads>"

    Restart IIS services in all CAS servers.

    9.Update the LoadBalancer configuration for the new certificate for both internal and external (If you have LB for Email)

    This will finish certificate update for IIS Service.

    Second part is  the certificate for SMTP Service

    1. Enable the new certificate for SMTP service

    Enable-Exchangecertificate -thumbprint "392391239129312939" -services "SMTP".After this ,there might be an receive connector tlscertificatename issue and which can fixed by below command

    1. $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>

    2. $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

    3. Set-ReceiveConnector "CAS-1\Client Frontend CAS-1" -TlsCertificateName $tlscertificatename

    To verify the certificate change, use the below command

    1. openssl s_client -connect smtp-Server:587 -starttls smtp

      If still getting old certificate info,please remove old certificate using the below command

    Remove-ExchangeCertificate -Thumbprint "old-certificate-Thumbprint"

    Run the Hybrid Wizard to reflect the new certificate for Office365 mail flow

    Regards

    Ashraf


    Ashraf

    • Marked as answer by P T Ashraf Monday, December 9, 2019 8:30 AM
    Monday, December 9, 2019 8:30 AM