Forum Discussion
SSL Certificate Renewal Process for Exchange 2019 Hybrid Environment with Edge Servers
Hello Community,
We are managing an Exchange Hybrid environment with the following on-premises setup:
- Two Exchange Mailbox Servers 2019
- Two Edge Servers 2019
Recently, we renewed our third-party SSL certificates, which include SANs for mail.xyz.com and autodiscover.xyz.com. I imported the renewed certificate on all four servers, but encountered these warnings:
- Edge Servers need to be resubscribed after the SSL certificate renewal.
- The same SSL certificate should not be used on both Hub Transport Servers and Edge Servers.
I’ve reviewed various Microsoft resources, but I'm still seeking clear guidance on the best practices and specific requirements for SSL certificate renewal in an Exchange 2019 environment, particularly when Edge Servers are involved.
Could anyone provide detailed advice or clarify the correct process for:
- Handling SSL certificates between Mailbox and Edge Servers
- Resubscribing Edge Servers following certificate renewal
- Best practices for SSL management in a hybrid setup
Any expert insights or pointers to relevant documentation would be highly valuable!
Thank you in advance for your support!
1 Reply
1. Certificate preparation phase
Open the ECP console on any Exchange server
Navigate to "Server" → "Certificates"
Click on the "+" to create a new certificate request (select "Create a request to obtain a certificate from a certificate authority")
2. Edge server-specific steps
powershell
# Export the certificate (to be performed on the edge server)
$Edge = Get- ExchangeServer | Where {$_.ServerRole -match "Edge"} Export-ExchangeCertificate -Thumbprint -BinaryData -Password (ConvertTo-ExchangeServer | Where {$_. ExchangeServer | Where {$_.ServerRole -match "Edge"}
Export-ExchangeCertificate -Thumbprint <old certificate fingerprint> -BinaryData -Password (ConvertTo- SecureString -String "Password" -AsPlainText -Force) | Set-Content -Path "C:\EdgeCert.pfx" -Encoding Byte
3. Hybrid Deployment Considerations
Ensure that the new certificate contains all the SAN entries necessary for a hybrid deployment:
all Exchange server FQDNs
autodiscover.domain.com
Connector names used in the Hybrid Configuration Wizard
4. Critical Checkpoints
Certificate Services Verification:
powershell
Test-ExchangeCertificate -Services IMAP,POP,SMTP,IIS
5. Edge Transport service restart:
powershell
Restart-Service MSExchangeTransport
6. Troubleshooting
If you encounter hybrid connectivity issues:
Rerun the Hybrid Configuration Wizard (Verification Mode only)
7. Check Edge Subscription status:
powershell
Get-EdgeSubscription | Test -EdgeSynchronization
8. Force synchronization:
powershell
Start-EdgeSynchronization
(Before proceeding, make sure: 1. you have a valid certificate backup 2. you are operating during a maintenance window 3. you have notified all users)
