The Microsoft Exchange Server Auth Certificate is created with every install of Microsoft Exchange server. This certificate is self-signed that is installed in all exchange servers and in hybrid deployments, allows connection with other servers like Lync, SharePoint, etc. The Microsoft Exchange Server Auth Certificate has a 5-year expiration date, which is just long enough for it to be one of things that you set and forget. Until it suddenly expires of course and all hell breaks loose.
If it is expired or is about to expire, dont stress. It is really easy to just renew the certificate by using the Exchange Admin Console.
How to Renew an Expired Microsoft Exchange Server Auth Certificate
Renewing creates a second certificate named Microsoft Exchange Server Auth Certificate that is valid for another 5 years. Whether you renew before expiration or after expiration, I found the the process is exactly the same.
In servers > certificates, select Microsoft Exchange Server Auth Certificate and then click Renew in the details pane as shown below. The screen shot below is of a certificate that is not expired yet, it looks exactly the same as on that has expired.
The new Exchange certificate has a new thumbprint and exists only on the server you’ve renewed it on. You need to identify the thumbprint for the new certificate. If you edit the certificate, in Exchange Admin Center, the thumbprint is on the general tab is as shown below. You can type this in, but you’re probably better of to cut and paste it into the later commands.
Take note of the thumbprint in that is displayed in the new Certificate’s proerties. You will need this in the following commands to activate the new certificate.
To view the Thumpint which is currently being used –
Get-AuthConfig | FL CurrentCertificateThumbprint
You will notice that this will not correspond with the thumbprint of your new certificate. Run the following command to activate the thumbprint on the new certificate
Set-AuthConfig -NewCertificateThumbprint New thumbprint number -NewCertificateEffectiveDate Date in which to activate
If you select the current day date you will get a warning that the new effective date is not 48 hours in the future. However, if we’re recovering from an expired certificate, we’re OK with that.
Now you need to publish the certificate to all servers:
Set-AuthConfig -PublishCertificate
And finally, remove the old expired certificate from the configuration:
Set-AuthConfig -ClearPreviousCertificate
You may find that you need to do an iisreset after all of the AuthConfig changes are complete. In most cases this is not required but could help speed up the testing stage if you find that it is taking longer for the changes to be applied.
What if I have two servers in a DAG environment? Do I Have to make a renew certificate request in both servers? or do I have to export the certificate manually from one server to the second after renewal?
Thank you
no. the auth cert is stored in active directory, so it will be published to all servers.
Hey Fatma, Same question about DAG? how do you did at the end?