Forum Discussion
Issue with certificate renewal for exchange Edge Transport Server
Hello team,
I have come across a very particular problem
I deployed 2 exchange server 2019 with one edge transport server
When we are renewing the Certificates with wildcard certificate on both mailbox server ,and on edge transport server ,it is impossible for me to renew the edge subscription
It says the cerificate is in "doublon" (repetitive) on one of the Exchange servers.I have always been using same certificate on exchange server be it edge or mailbox
I tested a bogus different certificate on mailbox and on edge,only then th e edge sync works
Did anybody come across this issue.
Thanks
2 Replies
Hi,
What you are describing is a known type of issue that can happen with Edge Subscription renewal / re-subscription when the same third-party wildcard certificate is installed across both Mailbox servers and the Edge Transport server.
The problem is usually not that wildcard certificates are unsupported, but that Exchange can become confused during Edge Subscription validation when multiple servers present certificates with:
- Same Subject
- Same SAN values
- Same issuer
- Sometimes same imported chain/friendly naming
- Multiple eligible SMTP certs in the org
This can lead to “duplicate / doublon / repetitive certificate” style errors.
Important clarification
The Edge Subscription process does not require using the same public wildcard certificate across all servers.
Exchange EdgeSync primarily uses:
- Edge Subscription trust
- AD LDS on Edge
- Internal secure synchronization channels
- SMTP TLS configuration separately
So using separate certificates is often cleaner.
Why your test with different certificates worked
That strongly suggests Exchange was selecting or validating the wrong certificate object when generating/importing the new Edge Subscription.
This is especially common when:
- Same wildcard cert exists on multiple Exchange servers
- Old expired cert still present
- Multiple SMTP-enabled certs remain assigned
- Thumbprints overlap in selection logic
Recommended Fix
Option 1 (Best Practice)
Use a separate certificate for Edge.
Keep wildcard on Mailbox servers and use another public/internal cert for Edge SMTP.
Many admins do exactly this.
Option 2 (If keeping same wildcard)
Clean certificate assignments first.
Check all certs:
Get-ExchangeCertificate | fl Thumbprint,Subject,Services,NotAfter
Remove old/unused duplicates.
Ensure only intended SMTP cert is enabled.
Recreate Edge Subscription fully:
Remove-EdgeSubscription New-EdgeSubscription -FileName c:\EdgeSubscription.xml
Then import again on Mailbox server.
Option 3
Use the same wildcard cert, but re-import fresh PFX separately on Edge and Mailbox so private key/container metadata differs cleanly.
Sometimes old migrated cert stores cause issues.
My Real-World Recommendation
For Exchange 2019:
Mailbox Servers
- Wildcard cert for HTTPS / SMTP if needed
Edge Server
- Separate public cert or dedicated SAN cert
Cleaner operationally and avoids subscription confusion.
Also Check
Send Connectors after re-subscription
Get-SendConnector
EdgeSync status
Test-EdgeSynchronization
Event Viewer
Look for:
- MSExchange EdgeSync
- Transport
- Certificate validation errors
Honest Field Experience Note
Many environments try to standardize one wildcard everywhere, but Edge Transport often behaves better with its own cert.
Your successful bogus-cert test is already the strongest troubleshooting clue.
My Conclusion
This is likely a certificate selection collision, not a certificate renewal failure.
Separate cert for Edge = safest long-term fix.
Hope this helps.
Hi! Cant say that I have ran into this issue before, but I have always used separate Certificates for the Edge servers.
Did you try to remove and re-create the edge subscription? Do you only have one Edge server or multiple?
Kind Regards
Oliwer
