Unable to renew Exchange Delegation Federation certificate (Solved)

Question

_{Saturday, March 4, 2017 4:24 PM}

I tried to reply to a post regarding this but TechNet just fails. I have seen this question with no real accurate answers so I will post the steps here.

How do I renew the self-signed Federated certificate before it fails?

You will see errors in your application log and any sort of simple renew will just fail.  You check org next certificate and it is blank.  Follow these steps to renew the cert.

Log on to a local Exchange server and open the Exchange CLI.  Run this command.

get-exchangecertificate

Locate the certificate that is associated with F (Federated service).  Copy the thumbprint to a notepad for reference. 

Run these commands.  Select Yes if prompted.

$ski = [System.Guid]::NewGuid().ToString("N")

get-exchangecertificate -Thumbprint "thumbprint" | New-ExchangeCertificate -PrivateKeyExportable $true -SubjectKeyIdentifier $ski

Now you have a valid cert which we will use.  If you only have one federation trust, you can use a get/set combo easily, like I did.

This command publishes this cert to all local Exchange servers

get-federationTrust | Set-FederationTrust -Thumbprint "thumbprint"

You will then see this message: 

WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. You should

update all TXT proof-of-ownership records that were previously set in DNS for all the domains configured for Federation before publishing the new certificate.

The new hash-value should be replaced with the OrgNextCertificate proof value output generated with

"Get-FederatedDomainProof -DomainName example.com".

So go ahead and do this for all of your domains that you use in the federation.  Copy the Proof in the OrgNextPrivCertificate section and add this to your public DNS entry.  Note: this is not private DNS but whatever service (GoDaddy, Amazon, etc) that you use to manage your public DNS.  I simply added to my existing TXT but you can probably replace the existing one.  I recommend to save all output to a text file.

Verify that this new cert has replicated to all of your Exchange servers.  I just used the web console and verified that all of the Exchange servers had the cert and that it was recognized as a Federation cert.  Also, you should now see this new cert as the next cert in line on the command "Get-FederationTrust | Select Org*certificate"

Once you are confident that the cert is internally replicated and you have the TXT ownership data on your public DNS, go ahead and run this command.  

get-FederationTrust | Set-FederationTrust -PublishFederationCertificate

You will see this output:

WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT

proof-of-ownership records that were previously set in DNS for all the domains configured for Federation. The new

hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with

"Get-FederatedDomainProof -DomainName example.com".

Finally, you can run this command but my result stated that nothing has changed. 

get-FederationTrust | Set-FederationTrust  -RefreshMetadata

Run this command to see that the new cert is the current one, and the next cert field is now empty.

Get-FederationTrust | Select Org*certificate

Finally, give it a test:

Test-FederationTrust

I hope this helps as I have tried for weeks to find a solution and everyone is close, but nobody ever posted how they ever truly figured it out.  The funny thing is that I created a MS ticket and they just pointed me to the same TechNet posts that have no answer.  I hope that they point to this one from now on.

All replies (1)

_{Monday, March 6, 2017 2:36 AM}

Hi David,

Thanks for your sharing and effort, this would be very helpful for other community members.

Best Regards,

Niko Cheng
TechNet Community Support

Please remember to mark the replies as answers.
If you have feedback for TechNet Subscriber Support, contact [email protected].