Rotating MS Exchange Server Auth Cert

By /

This is a quick how-to for rotating a Server Auth Certificate that’s about to expire on Exchange Server 2019 or 2025 in a Hybrid Deployment. Again, this assumes that your current certificate did not expire yet and is valid and not corrupt. Make sure you have a backup, snapshot, and rosary beads before you get going. Let’s get this party started!

Open Exchange Management Shell (EMS) with an account that has appropriate permissions. Run the following commands:

# Create a new Microsoft Exchange Server Auth Certificate
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

# Select N (Do not overwrite the existing SMTP certificate)
# Note the certificate thumbprint, you'll need in next step

# Paste certificate from above into following command
Set-AuthConfig -NewCertificateThumbprint "enter certificate thumbprint here" -NewCertificateEffectiveDate (Get-Date)

Set-AuthConfig -PublishCertificate
# Confirm new certificate effective date is not at least "48" and enter Y 

Set-AuthConfig -ClearPreviousCertificate

Restart-Service "MSExchangeServiceHost"

Restart-WebAppPool "MSExchangeOWAAppPool"

Restart-WebAppPool "MSExchangeECPAppPool"

Log into Exchange Control Panel > Servers > Certificates and confirm that the new certificate is present and then proceed to delete the old certificate to keep everything nice and tidy.

Next, make sure you’re running the latest releas of the Hybrid Configuration Wizard and run it using an account that has sufficient permissions for the on-premises and Exchange Online environments.

Afterwards, locate the Microsoft Entra Service Principal that was reconfigured by the HCW. Review its certificate settings to assure that the new certificate has been added.

Finally, you should perform a quick test to confirm that Exchange Free/Busy data is functioning. As Free/Busy lookups rely on OAuth tokens to authenticate cross-premises requests, they will break if the new certificate isn’t correctly trusted by both ends of your hybrid connection. The easiest way to do this is to log into a cloud mailbox using OWA and open the Scheduling Assistan and add an on-premises user as an attendee. If their availability shows up correctly, the cloud-to-on-prem path is functional. You can also perform the same test in reverse, from an on-premises mailbox a cloud mailbox.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top