Here are the steps to renew the Exchange Federation certificate if its going to Expire soon.
• Create a new federation certificate following the steps below:
$ski = [System.Guid]::NewGuid().ToString(“N”)
New-ExchangeCertificate -FriendlyName “Exchange Federated Sharing” -DomainName $env:<contoso.com> -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski
• Configure the federation trust to use the certificate with the provided thumbprint (generated from above) as the next certificate:
Set-FederationTrust “Microsoft Federation Gateway” -Thumbprint <54A849EFD1951F1A62376FF0B7418B0839FAE26B>
• Ensure this next certificate is rolled across the entire Exchange Organization by running Test-FederationTrustCertificate.
• Once the certificate rollover is confirmed, use the cmdlet below to update MFG to use next certificate as the current certificate:
Set-FederationTrust “Microsoft Federation Gateway” -PublishFederationCertificate
• Anytime to ensure federation metadata and certificate exchange is force triggered run the cmdlet below:
Set-FederationTrust “Microsoft Federation Gateway” -RefreshMetadata
NOTE:- You have to update TXT records for all the domains which were configured for Federation.
WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT
proof-of-ownership records that were previously set in DNS for all the domains configured for Federation. The new
hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with
“Get-FederatedDomainProof -DomainName example.com”.