none
Test-Federation Trust says a certificate is expired but it isn't RRS feed

  • Question

  • Recently replaced the Federation Trust Certificate on an Exchange 2010 SP3 server.

    When running the Test-FederationTrust command the following output is shown:

    RunspaceId : 9a7a44a8-##-92c5-7ae5f2f34979
    Id         : FederationTrustConfiguration
    Type       : Success
    Message    : FederationTrust object in ActiveDirectory is valid.

    RunspaceId : 9a7a44a8-##-92c5-7ae5f2f34979
    Id         : FederationMetadata
    Type       : Success
    Message    : The federation trust contains the same certificates published by the security token service in i
                 ion metadata.

    RunspaceId : 9a7a44a8-##92c5-7ae5f2f34979
    Id         : StsCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

    RunspaceId : 9a7a44a8-##-92c5-7ae5f2f34979
    Id         : StsPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust objec

    RunspaceId : 9a7a44a8-##-92c5-7ae5f2f34979
    Id         : OrganizationCertificate
    Type       : Error
    Message    : Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired.

    However, the certificate referenced in the property for OrgPrivCertificate in the FederationTrust object is NOT expired.  It is the newly created certificate.

    Any suggestions please?

    Saturday, June 13, 2020 3:57 AM

Answers

  • Hi James,

    May I know which article was referenced when you replaced the certificate?
    Had the old certificate already expired when you replaced it?
    Could you please run the command below and get back to us with the output?

    Get-FederationTrust | fl Org*cert*

    Please go through the instructions in the official document below and make sure the renewal steps were complete:
    Renew the Federation Certificate

    Besides, aside from restarting IIS as mentioned by Andy, it’s also suggested to force an AD replication and see if there is any difference.

    What’s more, based on my research, after renewing the federation certificate, it can take 12-48 hours before the trust reports as being no longer expired. So if you have just finish the replacement, it’s suggested to wait for some time before running the Test-FederationTrust command. 
    Reference: Microsoft Exchange Federation Certificates – Keep an eye on the expiry!
    (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

    Feel free to let me know with any updates.

    Regards,

    Yuki Sun


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Monday, June 15, 2020 7:58 AM

All replies

  • Saturday, June 13, 2020 12:40 PM
  • Thanks for the reply but I'm not sure you read my post properly.  I've seen the article you referenced.
    Sunday, June 14, 2020 11:32 PM
  • Thanks for the reply but I'm not sure you read my post properly.  I've seen the article you referenced.

    Did you restart IIS or reboot the server after you renewed the cert?

    Sunday, June 14, 2020 11:51 PM
    Moderator
  • Hi James,

    May I know which article was referenced when you replaced the certificate?
    Had the old certificate already expired when you replaced it?
    Could you please run the command below and get back to us with the output?

    Get-FederationTrust | fl Org*cert*

    Please go through the instructions in the official document below and make sure the renewal steps were complete:
    Renew the Federation Certificate

    Besides, aside from restarting IIS as mentioned by Andy, it’s also suggested to force an AD replication and see if there is any difference.

    What’s more, based on my research, after renewing the federation certificate, it can take 12-48 hours before the trust reports as being no longer expired. So if you have just finish the replacement, it’s suggested to wait for some time before running the Test-FederationTrust command. 
    Reference: Microsoft Exchange Federation Certificates – Keep an eye on the expiry!
    (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

    Feel free to let me know with any updates.

    Regards,

    Yuki Sun


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Monday, June 15, 2020 7:58 AM
  • Yes, tried both.
    Thursday, June 18, 2020 1:45 AM
  • I used the same article you posted, https://docs.microsoft.com/en-us/previous-versions/office/exchange-server-2010/mt779252(v=exchg.141)

    The certificate had already expired so the replace method was used.  

    But now when I run Test-FederationTrust all results are successful so it seems I just needed to wait for a quite a while.

    Thank you to all for your assistance.

    Thursday, June 18, 2020 1:56 AM
  • Hi James,

    Great to know that all results are successful now and thanks for sharing the update. Below is a brief summary of this thread for quick reference:

    Issue Symptom:
    Recently replaced the Federation Trust Certificate on an Exchange 2010 SP3 server. But when running the Test-FederationTrust command, it shows:

    RunspaceId : 9a7a44a8-##-92c5-7ae5f2f34979
    Id         : OrganizationCertificate
    Type       : Error
    Message    : Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired.

    Possible Cause:
    It can take 12-48 hours before the trust reports show as being no longer expired. 

    Solution:
    “Now when I run Test-FederationTrust all results are successful so it seems I just needed to wait for a quite a while.”


    Regards,

    Yuki Sun


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, June 18, 2020 9:46 AM