Exchange 2016 On-premise Hybrid Configuration for Management & Federation Certificate

Brass Contributor

I have an Exchange Server 2016 on-premise for Exchange Admin Center Management of Exchange attributes only as we've migrated to Office 365 years ago.


I got notification that self-signed certificates were expiring or had expired, so I used the EAC to renew them, but for some reason the Exchange Delegation Federation certificate was created multiple times.

I now have one that's invalid and 3 valid ones.  I'm not sure what I did to create multiple certificates, but here is what I want to do:


On the invalid one, it shows the services using the certificate were both SMTP, Federation. On one of the renewed certificates it shows SMTP but no Federation and the other two that are left shows "NONE" for services.  I want to add Federation to the one that already has SMTP and delete the others.


I also noticed that all the certificates when looking at them from the Certificates MMC show that they are not a trusted CA root certificate and to be trusted they need to be installed in the Trusted Root Certification Authorities store.


Currently when I go into the EAC it shows the alert about the invalid/expired certificate and it's just annoying me and I want to correct this.  Any help would be greatly appreciated...thanks!

3 Replies
To install the certificate in the Trusted Root Certification Authorities store double click on the certificate and while installing select "Place all certificates in the following store" and then Browse the "Trusted Root Certification Authorities" and Install the certificate.

If you wish to delete the expired certificate run the following command:
Remove-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint>

To enable specific services on the new certificates run the following command:
Enable-ExchangeCertificate -Server Mailbox01 -Thumbprint <Certificate Thumbprint> -Services POP,IMAP,SMTP,IIS

Once done, go to IIS and make sure the Valid new certificate is selected and do IIS Reset
It seems that the only Thumbprint I see via the Exchange Management Shell is the one for the invalid/expired certificate. I don't see one for the valid ones, so how would I be able to add the services to it?
I've figured out how to handle my scenario with this and here is what I did to resolve it:
* I found that I had to delete the trust and recreate it due to the expired certificate, but couldn't do it from the UI, so I used PowerShell to remove each federated domain, then the primary one, then finally the trust itself
* Although, I didn't have to recreate the trust, I had to again use PowerShell to create a new certificate for the "Microsoft Exchange Server Auth Certificate" which came up via the Health Check script for the Exchange upgrade procedures as being needed
* I also had to renew the certificate for "WMSVC" but this one wasn't expired, so I was able to renew it using the UI. The Health Check script identified it as having SHA1 instead of SHA2, so that's why I renewed it
* Deleted all old certs via MMC console...That pretty much summarizes everything, glad that's over with ;)