Blog Post

Exchange Team Blog
10 MIN READ

TLS Certificates in Exchange Hybrid - Common Issues & How to Fix them

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 04, 2025
Overview of Hybrid Mail Flow The Hybrid deployment between Exchange Server (on-premises) and Exchange Online provides secure mail routing between on-premises and Exchange Online organization with t...
Updated Jun 13, 2025
Version 3.0
exchange 2016
exchange 2019
exchange online
hybrid
protocols
tips 'n tricks
transport
troubleshooting
Matt1983's avatar
Matt1983
Copper Contributor
Jun 25, 2025

As you may know, Google Chrome Root Program Policy will forbid soon public certificates including "Client Authentication" EKU. Some CA Browsers will stop to sell such certificates in a few months (15th of September 2025 for ssl.com, 1st of October 2025 for Digicert...).

Example: https://www.ssl.com/blogs/removal-of-the-client-authentication-eku-from-tls-server-certificates-what-you-need-to-know/

How Exchange hybrid mode will be affected by this change? As of today all of my customers use public Exchange certificate that have the following two EKUs: "client authentication" + "server authentication". I haven't see anything regarding the EKUs inside the official documentation.

@EHLO Team, can you please clarify this point?