Renew Exchange Federation Certificate

Andres Bohren
Renew Exchange Federation Certificate

Hi All,

Recently i noticed that my Exchange Server and Exchange Delegation Federation Certificates have been Expired

There is a Documentation that is still valid Renew the federation certificate

There are two diffrent Szenarios:

  • Your Federation Certificate is still valid
    • Create a new federation certificate
    • Configure the new certificate as the federation certificate
    • Update the federation proof of domain ownership TXT record in external DNS
    • Verify the distribution of the new federation certificate to all Exchange servers
    • Activate the new federation certificate
  • Your Federation Certificate has expired
    • Remove Federated Domain
    • Remove Federation Trust
    • Create a new federation certificate
    • Configure the new certificate as the federation certificate
    • Update the federation proof of domain ownership TXT record in external DNS
    • Verify the distribution of the new federation certificate to all Exchange servers
    • FederationTrust UpdateMetadata
    • Add Federated Domains Im my case the Certificate has expired
Get-ExchangeCertificate

For the Self Signed Exchange Certificate it’s a straight forward Process.

Renew the Exchange Certificate

Get-ExchangeCertificate -Thumbprint 12ED6C077F5C234C0FD5498E7FB1F1A45C3368E6 | New-ExchangeCertificate -Force -PrivateKeyExportable $true

Let’s review the Domains in the FederatedOrganizationIdentifier

Get-FederatedOrganizationIdentifier | Format-List AccountNamespace,Domains
Get-FederatedOrganizationIdentifier

Now the Domains have to be removed - the default domain at last

Remove-FederatedDomain -DomainName subdomain.icewolf.ch -Force
Remove-FederatedDomain -DomainName icewolf.ch -Force
Remove-FederatedDomain -DomainName irgendwoiminternet.ch -Force

Now the Domains have been removed

Get-FederatedOrganizationIdentifier

The Federation Trust can be removed

Remove-FederationTrust "Microsoft Federation Gateway"

Let’s create a new Federation Certificate (Self Signed)

$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Delegation Federation" -SubjectName "CN = Federation" -DomainName icewolf.ch -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski

Let’s hav a look at the Certificate

Get-ExchangeCertificate

The Federation Certificate must contain the “Subject Key Identifier”

Now Let’s create a new Federation Trust

Get-ExchangeCertificate -Thumbprint 95DBF824BB5C3B99DF51D3B2818139DE79619DC4| New-FederationTrust -Name "Microsoft Federation Gateway"

The Certificate is now assight to the “F” (Federation) Service

Now the Federated Domain Proof has to be generated for each Domain

Get-FederatedDomainProof -DomainName icewolf.ch
Get-FederatedDomainProof -DomainName irgendwoiminternet.ch
Get-FederatedDomainProof -DomainName subdomain.icewolf.ch

The TXT Records have to be updated in the DNS

Update the Federation Trust with the Domains

Set-FederatedOrganizationIdentifier -DelegationFederationTrust "Microsoft Federation Gateway" -AccountNamespace icewolf.ch -Enabled $true
Add-FederatedDomain -DomainName irgendwoiminternet.ch
Add-FederatedDomain -DomainName subdomain.icewolf.ch

Sometimes it takes some time until the DNS TXT Records have propagated

Check the FederatedOrganizationIdentifier - all Domains are now back in there

Get-FederatedOrganizationIdentifier

Refresh the FederationTrust

Set-FederationTrust -RefreshMetadata -Identity "Microsoft Federation Gateway"

Test the Federation Trust Certificate

Test-FederationTrustCertificate

Test the Federation Trust

Test-FederationTrust
#it can take 12-48 hours before the trust reports as being no longer expired!

Now you can remove the expired Certificates

Get-ExchangeCertificate
Remove-ExchangeCertificate -Thumbprint 4F4B2F3B0A70177C76F2BB68B1E1C287FF44E135
Remove-ExchangeCertificate -Thumbprint 12ED6C077F5C234C0FD5498E7FB1F1A45C3368E6
Get-ExchangeCertificate

The Certificates now looking good

Just as a reminder how the Federation Trust works Exchange Hybrid Federation Trust

It’s a good idea now to run the Exchange Hybrid Wizard

Now the Federation Trust is sucessful

Test-FederationTrust

After a while i checked the Federation Information

Get-FederationInformation -DomainName irgendwoiminternet.ch
Get-FederationInformation -DomainName icewolf.ch

Regards
Andres Bohren

Exchange Logo