As part of Microsoft Exchange 2016 installation, a self-signed certificate called “Microsoft Exchange Server Auth Certificate” is created that is being used for server-to-server authentication and integration using OAuth in your Exchange organization. Exchange server-to-server authentication is being used for integration of Exchange 2016 with SharePoint or Skype for Business. This certificate can be viewed from local computer certificate store or from Exchange Admin Center > Servers > Certificate. More detail on Exchange Digital certificates and encryption in Exchange can be found on TechNet.
It’s a self-signed certificate and one of the important components of Exchange server. If for some reason this certificate is missing on your Exchange Server 2016, you will see the following warning messages in event viewer under application logs on Exchange 2016 server.
When you have a missing certificate, you'll see the following warning error message in application logs of event viewer.
Federation or Auth certificate not found: “Certificates-thumbprint”. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.
As described earlier, if we have missing certificates then it can cause issues with integration and server-to-server authentication. What will you do if you run into this issue? How do you fix it? Below are the steps that you need to perform to fix this issue.
Follow the instructions mentioned below to fix federation or Auth certificate not found issue in your Exchange 2013 or 2016 organization.
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “CN= Microsoft Exchange Server Auth Certificate” -DomainName “*.DOMAINNAME.COM” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP
$date = Get-Date
Set-AuthConfig -NewCertificateThumbprint certificate_thumbprint –NewCertificateEffectiveDate $date
Set-AuthConfig –PublishCertificate
Set-AuthConfig -ClearPreviousCertificate