get-exchangeCertificate show blank ex 2019 last updates

Issue:

Get-ExchangeCertificate command gives blank output in Microsoft Exchange server 2016/2019.

Cause:

The blank output appears because Serialized Payload Signing is enabled, and the Exchange Auth certificate is expired or missing.

If only the Exchange Auth certificate is expired or missing and Serialized payload signing is not enabled on the Exchange server, then the Get-ExchangeCertificate cmdlet will show values in the output.

https://support.microsoft.com/en-us/topic/certificate-signing-of-powershell-serialization-payload-in-exchange-server-90fbf219-b0dd-4b2c-8a68-9d73b3309eb1 (Refer Known issues).

What is PowerShell Serialization Payload Signing in Exchange Server:

Starting in January 2023 Security Updates (SU) for Microsoft Exchange Server, Microsoft introduced a new feature that enables admins to configure certificate-based signing of PowerShell serialization payloads.

This feature has been enabled by default since November 2023 Security Updates (SU) on all Exchange Server 2016/2019.

Certificate-based signing of PowerShell Serialization Payload is a Defense-in-Depth security feature to prevent malicious manipulation of serialized data exchanged in Exchange Management Shell (EMS) sessions.

This feature uses the Exchange Server Auth Certificate to sign the serialized data. Therefore, it is very important that the certificate configured as Auth Certificate is valid (not expired) and available on all Exchange Servers (except Edge Transport role and Exchange Management Tools role) within the organization.

* Refer below article for detailed explanation on PowerShell Serialization Payload Signing in Exchange Server.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-serialization-payload-sign

Solution:

If the Exchange Auth certificate is missing, then we need to install a new Exchange Auth certificate on the Exchange Server. It can take 24 hours before it becomes valid.

If Exchange Auth certificate already exists and it shows a blank output when running Get-ExchangeCertificate, it means it is expired or corrupted. Resolution steps as below.

Download MonitorExchangeAuthCertificate.ps1 PowerShell script and place it in the folder C:\Scripts.

URL to download the script:

https://github.com/microsoft/CSS-Exchange/releases/latest/download/MonitorExchangeAuthCertificate.ps1

Open Exchange Management Shell and run the command below to check the Exchange Auth certificate status. To run the script, the logged-in account must be a member of the Organization Management role group.

C:\Scripts>.\MonitorExchangeAuthCertificate.ps1

The output shows that the Exchange Auth certificate needs to be replaced by a new one.

Output:

“Test result: The Auth Certificate in use must be replaced by a new one.”

Run the below command to renew the Microsoft Exchange Auth certificate.

C:\scripts>.\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreHybridConfig $true -Confirm:$false

The output shows that the renewal action was successfully performed.

Output:

“The renewal action was successfully performed - the new Auth Certificate will become active on: “

Run the MonitorExchangeAuthCertificate.ps1 script again to check the Exchange Auth certificate status.

C:\Scripts>.\MonitorExchangeAuthCertificate.ps1

The output shows that the Auth certificate is valid.

Output:

“Test result: No renewal action is required”

Run IISRESET and wait for some time.

Run the Get-ExchangeCertificate cmdlet and verify that the output appears with values instead of blank output. Perform server reboot if certificates are still blank.

Get-ExchangeCertificate

IMP:

If there is an Exchange Hybrid environment, then we need to rerun the Hybrid Configuration Wizard.

- Rohan Dhanji.