Forum Discussion
Exchange 2016 On-premise Hybrid Configuration for Management & Federation Certificate
I have an Exchange Server 2016 on-premise for Exchange Admin Center Management of Exchange attributes only as we've migrated to Office 365 years ago. I got notification that self-signed certifica...
surajbudhani
Microsoft
MicrosoftTo install the certificate in the Trusted Root Certification Authorities store double click on the certificate and while installing select "Place all certificates in the following store" and then Browse the "Trusted Root Certification Authorities" and Install the certificate.
If you wish to delete the expired certificate run the following command:
Remove-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint>
To enable specific services on the new certificates run the following command:
Enable-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint> -Services POP,IMAP,SMTP,IIS
Once done, go to IIS and make sure the Valid new certificate is selected and do IIS Reset
If you wish to delete the expired certificate run the following command:
Remove-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint>
To enable specific services on the new certificates run the following command:
Enable-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint> -Services POP,IMAP,SMTP,IIS
Once done, go to IIS and make sure the Valid new certificate is selected and do IIS Reset
- It seems that the only Thumbprint I see via the Exchange Management Shell is the one for the invalid/expired certificate. I don't see one for the valid ones, so how would I be able to add the services to it?
- I've figured out how to handle my scenario with this and here is what I did to resolve it:
* I found that I had to delete the trust and recreate it due to the expired certificate, but couldn't do it from the UI, so I used PowerShell to remove each federated domain, then the primary one, then finally the trust itself
* Although, I didn't have to recreate the trust, I had to again use PowerShell to create a new certificate for the "Microsoft Exchange Server Auth Certificate" which came up via the Health Check script for the Exchange upgrade procedures as being needed
* I also had to renew the certificate for "WMSVC" but this one wasn't expired, so I was able to renew it using the UI. The Health Check script identified it as having SHA1 instead of SHA2, so that's why I renewed it
* Deleted all old certs via MMC console...That pretty much summarizes everything, glad that's over with 😉
