Forum Discussion

sandiven1154's avatar
sandiven1154
Copper Contributor
Mar 18, 2026

Issue with certificate renewal for exchange Edge Transport Server

Hello team,   I have come across a very particular problem I deployed 2 exchange server 2019 with one edge transport server  When we are renewing the Certificates with  wildcard certificate  on b...
admin
edge
exchange
EXCHANGE 2019 CU15
Exchange Server
Lucaraheller's avatar
Lucaraheller
MCT
Apr 20, 2026

Hi,

What you are describing is a known type of issue that can happen with Edge Subscription renewal / re-subscription when the same third-party wildcard certificate is installed across both Mailbox servers and the Edge Transport server.

The problem is usually not that wildcard certificates are unsupported, but that Exchange can become confused during Edge Subscription validation when multiple servers present certificates with:

  • Same Subject
  • Same SAN values
  • Same issuer
  • Sometimes same imported chain/friendly naming
  • Multiple eligible SMTP certs in the org

This can lead to “duplicate / doublon / repetitive certificate” style errors.

Important clarification

The Edge Subscription process does not require using the same public wildcard certificate across all servers.

Exchange EdgeSync primarily uses:

  • Edge Subscription trust
  • AD LDS on Edge
  • Internal secure synchronization channels
  • SMTP TLS configuration separately

So using separate certificates is often cleaner.

Why your test with different certificates worked

That strongly suggests Exchange was selecting or validating the wrong certificate object when generating/importing the new Edge Subscription.

This is especially common when:

  • Same wildcard cert exists on multiple Exchange servers
  • Old expired cert still present
  • Multiple SMTP-enabled certs remain assigned
  • Thumbprints overlap in selection logic

Recommended Fix

Option 1 (Best Practice)

Use a separate certificate for Edge.

Keep wildcard on Mailbox servers and use another public/internal cert for Edge SMTP.

Many admins do exactly this.

Option 2 (If keeping same wildcard)

Clean certificate assignments first.

Check all certs:

Get-ExchangeCertificate | fl Thumbprint,Subject,Services,NotAfter

Remove old/unused duplicates.

Ensure only intended SMTP cert is enabled.

Recreate Edge Subscription fully:

Remove-EdgeSubscription New-EdgeSubscription -FileName c:\EdgeSubscription.xml

Then import again on Mailbox server.

Option 3

Use the same wildcard cert, but re-import fresh PFX separately on Edge and Mailbox so private key/container metadata differs cleanly.

Sometimes old migrated cert stores cause issues.

My Real-World Recommendation

For Exchange 2019:

Mailbox Servers

  • Wildcard cert for HTTPS / SMTP if needed

Edge Server

  • Separate public cert or dedicated SAN cert

Cleaner operationally and avoids subscription confusion.

Also Check

Send Connectors after re-subscription

Get-SendConnector

EdgeSync status

Test-EdgeSynchronization

Event Viewer

Look for:

  • MSExchange EdgeSync
  • Transport
  • Certificate validation errors

Honest Field Experience Note

Many environments try to standardize one wildcard everywhere, but Edge Transport often behaves better with its own cert.

Your successful bogus-cert test is already the strongest troubleshooting clue.

My Conclusion

This is likely a certificate selection collision, not a certificate renewal failure.

Separate cert for Edge = safest long-term fix.

Hope this helps.