Renew Expired Microsoft Exchange Server Auth Certificate

Created On
Last Updated On
byYong KW
< All Topics

Tutorial on how to Renew Expired Microsoft Exchange Server Auth Certificate

Microsoft Exchange Server Auth Certificate which is installed by default with 5 years lifetime is a self-signed and used for OAuth authentication between applications such as Exchange Server, SharePoint and Hybrid with Exchange Online

Verify the status of existing Microsoft Server Auth Certificate

List all existing Microsoft Server Auth Certificate with PowerShell

Get-ExchangeCertificate | ? Subject -like "CN=Microsoft Exchange Server Auth Certificate" | Select Subject, Services, Status, Thumbprint, @{N="Expired Date";E={$_.NotAfter}}

Subject      : CN=Microsoft Exchange Server Auth Certificate
Services     : SMTP
Status       : Valid
Thumbprint   : D71A4447256B91A4DA6A7BAE3CED99FF9F8AA2A3
Expired Date : 30/12/2025 12:17:54 PM

Subject      : CN=Microsoft Exchange Server Auth Certificate
Services     : SMTP
Status       : Valid
Thumbprint   : 9AF628588D06107E4EDBDB6864F04BB42C90D821
Expired Date : 30/12/2025 12:14:09 PM

Subject      : CN=Microsoft Exchange Server Auth Certificate
Services     : SMTP
Status       : Invalid
Thumbprint   : 4907D3272DEA4BD7E7105B333C244F860447E59F
Expired Date : 26/12/2020 6:48:50 PM

Login to Exchange ECP and alert is prompted for the expired Microsoft Server Auth Certificate

Renew Expired Microsoft Exchange Server Auth Certificate

Renew Expired Microsoft Exchange Server Auth Certificate

Click on the Renew link to the Microsoft Exchange Auth Certificate. However, we noticed that the alert is still prompted even with the renewed Microsoft Exchange Server Auth Certificate installed.

Renew Expired Microsoft Exchange Server Auth Certificate

Resolve the Alert Message

Lauch Exchange Management Shell, and set the thumbprint of the renewed Microsoft Exchange Auth Certificate as current certificate

$thumb = "67AA018F1E727EE9D4D480F080BFB822447B2626"
$date = Get-Date

Set-AuthConfig -NewCertificateThumbprint $thumb -NewCertificateEffectiveDate $date

Publish the new Certificate to all Exchange Servers

Set-AuthConfig -PublishCertificate

Verify the new Microsoft Exchange Auth Certificate is configured properly

[PS] C:\Windows\system32>Get-AuthConfig

RunspaceId                    : 14b140ff-38ea-4955-9279-9062a6160bae
CurrentCertificateThumbprint  : 67AA018F1E727EE9D4D480F080BFB822447B2626
PreviousCertificateThumbprint : 6004102A37244742E6315018883C1274D59D6322
NextCertificateThumbprint     :
NextCertificateEffectiveDate  :
ServiceName                   : 00000002-0000-0ff1-ce00-000000000000

Remove the expired Microsoft Exchange Auth Certificate

Set-AuthConfig -ClearPreviousCertificate

Delete all the expired Microsoft Exchange Auth Certificate in ECP

The alert message should be goes aways now.

Reference Link

Expired Microsoft Exchange Server Auth Certificate

Table of Contents