Exchange Federation Certificate is Expiring Soon?? Don't Worry


Here are the steps to renew the Exchange Federation certificate if its going to Expire soon.

• Create a new federation certificate following the steps below:

$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Federated Sharing" -DomainName $env:<contoso.com> -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski

• Configure the federation trust to use the certificate with the provided thumbprint (generated from above) as the next certificate:

Set-FederationTrust "Microsoft Federation Gateway" -Thumbprint <54A849EFD1951F1A62376FF0B7418B0839FAE26B>

• Ensure this next certificate is rolled across the entire Exchange Organization by running Test-FederationTrustCertificate.

• Once the certificate rollover is confirmed, use the cmdlet below to update MFG to use next certificate as the current certificate:

Set-FederationTrust "Microsoft Federation Gateway" -PublishFederationCertificate

• Anytime to ensure federation metadata and certificate exchange is force triggered run the cmdlet below:

Set-FederationTrust "Microsoft Federation Gateway" -RefreshMetadata

NOTE:- You have to update TXT records for all the domains which were configured for Federation.

WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT
proof-of-ownership records that were previously set in DNS for all the domains configured for Federation. The new
hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with
"Get-FederatedDomainProof -DomainName example.com".

Comments (0)

Skip to main content