In Microsoft Exchange on-prem, there is a self-signed certificate called
Microsoft Exchange Server Auth Certificate
This not bound to any IIS web site, but still needed for authentication purposes. It is valid for 5 years. If the certificate has expired or is about to expire, you can renew it with the following procedure:
Start the Exchange Management Shell and type:
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
This should show you the details of the existing Microsoft Exchange Server Auth Certificate.
Create a new certificate:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
Reply with N to the question if you would like to replace the certificate as you do not want to replace any certificate now.
Copy the thumbprint as you need it for the next step.
To assign the new certificate to the necessary authentication server, issue the following commands (Replace the thumbprint with your own):
Set-AuthConfig -NewCertificateThumbprint "5EB1EFE43855B22A81BEB102ACCD73CE84CB0F05" -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
Restart-Service "MSExchangeServiceHost"
Restart-WebAppPool "MSExchangeOWAAppPool"
Restart-WebAppPool "MSExchangeECPAppPool"
The old certificate can now be deleted from EAC.
Depending on the timezone you are in, it can take several hours until the new certificate is published. Example, if you are in timezone UTC+2, it takes 2 hours until the new certificate works. During the 2 hours, EAC might not work.
There is another self-signed Exchange certificate. If you need to renew that one, use this procedure:
Microsoft Exchange: Renew internal backend certificate
Hi
Thank you for this valuable information. One question though . Im on a hybrid setup,do i have to run HCW after publishing and successfully removed the old cert?
Thanks
owen
Yes, as per Microsoft Q&A, you should run the Hybrid Configuration Wizard after you have replaced the certificate:
Thanks Admin. Really appreciate it.