SSL Certificate Renewal Process for Exchange 2019 Hybrid Environment with Edge Servers

1. Certificate preparation phase 
Open the ECP console on any Exchange server 
Navigate to "Server" → "Certificates" 
Click on the "+" to create a new certificate request (select "Create a request to obtain a certificate from a certificate authority") 
2. Edge server-specific steps 
powershell 
# Export the certificate (to be performed on the edge server) 
$Edge = Get- ExchangeServer | Where {$_.ServerRole -match "Edge"} Export-ExchangeCertificate -Thumbprint -BinaryData -Password (ConvertTo-ExchangeServer | Where {$_. ExchangeServer | Where {$_.ServerRole -match "Edge"} 
Export-ExchangeCertificate -Thumbprint <old certificate fingerprint> -BinaryData -Password (ConvertTo- SecureString -String "Password" -AsPlainText -Force) | Set-Content -Path "C:\EdgeCert.pfx" -Encoding Byte 
3. Hybrid Deployment Considerations 
Ensure that the new certificate contains all the SAN entries necessary for a hybrid deployment: 
all Exchange server FQDNs 
autodiscover.domain.com 
Connector names used in the Hybrid Configuration Wizard 
4. Critical Checkpoints 
Certificate Services Verification: 
powershell 
Test-ExchangeCertificate -Services IMAP,POP,SMTP,IIS 
5. Edge Transport service restart: 
powershell 
Restart-Service MSExchangeTransport 
6. Troubleshooting 
If you encounter hybrid connectivity issues: 
Rerun the Hybrid Configuration Wizard (Verification Mode only) 
7. Check Edge Subscription status: 
powershell 
Get-EdgeSubscription | Test -EdgeSynchronization 
8. Force synchronization: 
powershell 
Start-EdgeSynchronization 
(Before proceeding, make sure: 1. you have a valid certificate backup 2. you are operating during a maintenance window 3. you have notified all users)