The Microsoft Exchange Server Auth Certificate is installed when you install an Exchange Server, and it’s 5 years active. Most of the time, you don’t look into that certificate because, within 5 years, you will have a new Exchange Server and decommission the old Exchange Server. What if you accidentally removed the certificate, or it’s giving an error? In this article, we will look at how to renew Microsoft Exchange Server Auth Certificate and check that it’s valid.
Table of contents
- Check Microsoft Exchange Server Auth Certificate
- Renew Microsoft Exchange Server Auth Certificate with PowerShell
- 1. Create new Microsoft Exchange Server Auth Certificate
- 2. Set new certificate for server authentication
- 3. Restart Microsoft Exchange Service Host Service
- 4. Restart IIS (Internet Information Services)
- 5. Remove old Microsoft Exchange Server Auth Certificate
- 6. Rerun Hybrid Configuration Wizard
- 7. Verify Microsoft Exchange Server Auth Certificate validity
- Conclusion
Check Microsoft Exchange Server Auth Certificate
Sign in to Exchange Admin Center on-premises. Navigate to servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization. Double-click the Microsoft Exchange Server Auth Certificate.
In our example, we did select the Exchange Server EX01-2016.
We do see that the certificate thumbprint starts with C4C595.
Let’s verify the Exchange Server certificate with Exchange Management Shell.
Run Exchange Management Shell as administrator on Exchange on-premises. Run the command to check the status of the existing OAuth certificate.
[PS] C:\>(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 9/28/2026 10:25:25 PM
NotBefore : 9/28/2021 10:25:25 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1B6BC2BD4BB4EFA848E6EE110E79241C
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : C4C5951857150DC2BC89E084DA51DB126A258C4FCopy
Let’s say the Exchange Server Auth Certificate is corrupt or not valid. Perhaps you don’t see the Exchange certificate with the above steps. In the next step, we will renew the Exchange Server Auth Certificate.
Renew Microsoft Exchange Server Auth Certificate with PowerShell
Let’s have a look at the steps on how to renew Microsoft Exchange Server Auth Certificate. Run the below commands in Exchange Management Shell.
Are you looking at how to renew the Microsoft Exchange certificate? Read the article Renew Microsoft Exchange certificate.
Note: You can’t remove the Exchange Server Auth Certificate in most cases. That’s ok, and you will be able to remove the certificate when you create and publish a new Exchange Server Auth Certificate.
1. Create new Microsoft Exchange Server Auth Certificate
Create a new Microsoft Exchange Server Auth Certificate. Run the New-ExchangeCertificate cmdlet. If it asks you to overwrite the certificate that’s already there, press Y and press Enter.
[PS] C:\>New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: 'C4C5951857150DC2BC89E084DA51DB126A258C4F' (expires 9/28/2026 10:25:25 PM)
Replace it with certificate: '67D37D27B8D3583D5FAD32FC294E287D270E3297' (expires 9/29/2026 9:51:32 AM)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
Thumbprint Services Subject
---------- -------- -------
67D37D27B8D3583D5FAD32FC294E287D270E3297 ....S.. CN=Microsoft Exchange Server Auth CertificateCopy
Copy the new certificate thumbprint because you need it in the next step. In our case, it’s the certificate thumbprint that starts with 67D37D.
You can verify in Exchange Admin Center that the command created the new Microsoft Exchange Server Auth Certificate.
Note: The certificate will be created on all the Exchange Servers (if you have more than one Exchange Server running in the organization).
2. Set new certificate for server authentication
The Set-AuthConfig parameter defines Microsoft Exchange as a partner application for server-to-server authentication with other partner applications such as Microsoft SharePoint 2013 and Microsoft Lync 2013 or Skype for Business Server 2015.
Paste the certificate thumbprint which you copied in the previous step in the command. If you select the current day date, you will get a warning that the new effective date is not 48 hours in the future. Press Y and press Enter.
[PS] C:\>Set-AuthConfig -NewCertificateThumbprint "67D37D27B8D3583D5FAD32FC294E287D270E3297" -NewCertificateEffectiveDate (Get-Date)
Confirm
The new certificate effective date is not at least "48" hours in the future and may not be deployed on all necessary servers. Do you wish to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): YCopy
The PublishCertificate switch specifies that the specified certificate be immediately rolled over as the current certificate. The certificate is deployed immediately to all Client Access servers.
[PS] C:\>Set-AuthConfig -PublishCertificateCopy
The ClearPreviousCertificate switch clears the certificate saved as the previous certificate in the authorization configuration.
[PS] C:\>Set-AuthConfig -ClearPreviousCertificateCopy
3. Restart Microsoft Exchange Service Host Service
Restart the Microsoft Exchange Service Host Service
[PS] C:\>Restart-Service "MSExchangeServiceHost"Copy
4. Restart IIS (Internet Information Services)
Run the IISReset command to restart IIS.
[PS] C:\>iisresetCopy
Another way is to recycle the Outlook on the web and EAC application pools.
[PS] C:\>Restart-WebAppPool "MSExchangeOWAAppPool"
[PS] C:\>Restart-WebAppPool "MSExchangeECPAppPool"Copy
5. Remove old Microsoft Exchange Server Auth Certificate
Remove old Microsoft Exchange Server Auth Certificate from Exchange Admin Center or with PowerShell.
Note: Do this on all the Exchange Servers.
You will only have one Microsoft Exchange Server Auth Certificate on each Exchange Server.
Important: In some environments, it may take a couple of hours for the OAuth certificate to be published.
An ECP error appears when you want to connect to the Exchange Admin Center. After waiting a few hours, you can successfully sign in without getting the error below.
6. Rerun Hybrid Configuration Wizard
If you have an Exchange Hybrid setup, you have to rerun the Hybrid Configuration Wizard to update the changes to Azure Active Directory (Azure AD).
7. Verify Microsoft Exchange Server Auth Certificate validity
Run the Exchange Server Health Checker script to verify that the Microsoft Exchange Server Auth Certificate status is valid.
Read more: Renew certificate in Exchange Hybrid »
Conclusion
We showed how to renew the Microsoft Exchange Server Auth Certificate. First, go through the steps as shown to renew the Auth Certificate. After that, you can remove the old Auth certificate. If you have an Exchange Hybrid deployment, rerun the Hybrid Configuration Wizard. As always, verify that the new Microsoft Exchange Server Auth Certificate is valid by running the Exchange Health Checker script.
Source: https://www.alitajran.com/renew-microsoft-exchange-server-auth-certificate/