Exchange 2016 On-premise Hybrid Configuration for Management & Federation Certificate

Occasional Contributor

I have an Exchange Server 2016 on-premise for Exchange Admin Center Management of Exchange attributes only as we've migrated to Office 365 years ago.

 

I got notification that self-signed certificates were expiring or had expired, so I used the EAC to renew them, but for some reason the Exchange Delegation Federation certificate was created multiple times.

I now have one that's invalid and 3 valid ones.  I'm not sure what I did to create multiple certificates, but here is what I want to do:

 

On the invalid one, it shows the services using the certificate were both SMTP, Federation. On one of the renewed certificates it shows SMTP but no Federation and the other two that are left shows "NONE" for services.  I want to add Federation to the one that already has SMTP and delete the others.

 

I also noticed that all the certificates when looking at them from the Certificates MMC show that they are not a trusted CA root certificate and to be trusted they need to be installed in the Trusted Root Certification Authorities store.

 

Currently when I go into the EAC it shows the alert about the invalid/expired certificate and it's just annoying me and I want to correct this.  Any help would be greatly appreciated...thanks!

2 Replies
To install the certificate in the Trusted Root Certification Authorities store double click on the certificate and while installing select "Place all certificates in the following store" and then Browse the "Trusted Root Certification Authorities" and Install the certificate.

If you wish to delete the expired certificate run the following command:
Remove-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint>

To enable specific services on the new certificates run the following command:
Enable-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint> -Services POP,IMAP,SMTP,IIS

Once done, go to IIS and make sure the Valid new certificate is selected and do IIS Reset
It seems that the only Thumbprint I see via the Exchange Management Shell is the one for the invalid/expired certificate. I don't see one for the valid ones, so how would I be able to add the services to it?