Microsoft Exchange: Renew the Microsoft Exchange Server Auth Certificate

In Microsoft Exchange on-prem, there is a self-signed certificate called

Microsoft Exchange Server Auth Certificate

This not bound to any IIS web site, but still needed for authentication purposes. It is valid for 5 years. If the certificate has expired or is about to expire, you can renew it with the following procedure:

Start the Exchange Management Shell and type:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

This should show you the details of the existing Microsoft Exchange Server Auth Certificate.

Create a new certificate:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Reply with N to the question if you would like to replace the certificate as you do not want to replace any certificate now.

Copy the thumbprint as you need it for the next step.

To assign the new certificate to the necessary authentication server, issue the following commands:

Set-AuthConfig -NewCertificateThumbprint "5EB1EFE43855B22A81BEB102ACCD73CE84CB0F05" -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
Restart-Service "MSExchangeServiceHost"
Restart-WebAppPool "MSExchangeOWAAppPool"
Restart-WebAppPool "MSExchangeECPAppPool"

The old certificate can now be deleted from EAC.

Depending on the timezone you are in, it can take several hours until the new certificate is published. Example, if you are in timezone UTC+2, it takes 2 hours until the new certificate works. During the 2 hours, EAC might not work.

There is another self-signed Exchange certificate. If you need to renew that one, use this procedure:

Microsoft Exchange: Renew internal backend certificate


Leave a Reply

Your email address will not be published. Required fields are marked *