Microsoft Exchange Server Auth Certificate

The Microsoft Exchange Server Auth Certificate is created with every install of Microsoft Exchange server. This certificate is self-signed that is installed in all exchange servers and in hybrid deployments, allows connection with other servers like Lync, SharePoint, etc.  The Microsoft Exchange Server Auth Certificate has a 5-year expiration date, which is just long enough for it to be one of things that you set and forget. Until it suddenly expires of course and all hell breaks loose.

Microsoft Exchange Server Auth Certificate

If it is expired or is about to expire, dont stress. It is really easy to just renew the certificate by using the Exchange Admin Console.

How to Renew an Expired Microsoft Exchange Server Auth Certificate

Renewing creates a second certificate named Microsoft Exchange Server Auth Certificate that is valid for another 5 years. Whether you renew before expiration or after expiration, I found the the process is exactly the same.

In servers > certificates, select Microsoft Exchange Server Auth Certificate and then click Renew in the details pane as shown below. The screen shot below is of a certificate that is not expired yet, it looks exactly the same as on that has expired.

The new certificate has a new thumbprint and exists only on the server you’ve renewed it on. You need to identify the thumbprint for the new certificate. If you edit the certificate, in Exchange Admin C enter, the thumbprint is on the general tab is as shown below. You can type this in, but you’re probably better of to cut and paste it into the later commands.

Microsoft Exchange Server Auth Certificate

Take note of the thumbprint in that is displayed in the new Certificate’s proerties. You will need this in the following commands to activate the new certificate.

To view the Thumpint which is currently being used –

Get-AuthConfig | FL CurrentCertificateThumbprint

You will notice that this will not correspond with the thumbprint of your new certificate. Run the following command to activate the thumbprint on the new certificate

Set-AuthConfig -NewCertificateThumbprint New thumbprint number -NewCertificateEffectiveDate Date in which to activate

If you select the current day date you will get a warning that the new effective date is not 48 hours in the future. However, if we’re recovering from an expired certificate, we’re OK with that.

Now you need to publish the certificate to all servers:

Set-AuthConfig -PublishCertificate

And finally, remove the old expired certificate from the configuration:

Set-AuthConfig -ClearPreviousCertificate

You may find that you need to do an iisreset after all of the AuthConfig changes are complete. In most cases this is not required but could help speed up the testing stage if you find that it is taking longer for the changes to be applied.

Leave a Reply