skip to Main Content

Renew Microsoft Exchange Server Auth Certificate

The Microsoft Exchange Server Auth Certificate is installed when you install an Exchange Server, and it’s 5 years active. Most of the time, you don’t look into that certificate because, within 5 years, you will have a new Exchange Server and decommission the old Exchange Server. What if you accidentally removed the certificate, or it’s giving an error? In this article, we will look at how to renew Microsoft Exchange Server Auth Certificate and check that it’s valid.

Check Microsoft Exchange Server Auth Certificate

Sign in to Exchange Admin Center on-premises. Navigate to servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization. Double-click the Microsoft Exchange Server Auth Certificate.

In our example, we did select the Exchange Server EX01-2016.

Renew Microsoft Exchange Server Auth Certificate EAC

We do see that the certificate thumbprint starts with C4C595.

Renew Microsoft Exchange Server Auth Certificate EAC general

Let’s verify the Exchange Server certificate with Exchange Management Shell.

Run Exchange Management Shell as administrator on Exchange on-premises. Run the command to check the status of the existing OAuth certificate.

[PS] C:\>(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 9/28/2026 10:25:25 PM
NotBefore          : 9/28/2021 10:25:25 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1B6BC2BD4BB4EFA848E6EE110E79241C
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : C4C5951857150DC2BC89E084DA51DB126A258C4F

Let’s say the Exchange Server Auth Certificate is corrupt or not valid. Perhaps you don’t see the Exchange certificate with the above steps. In the next step, we will renew the Exchange Server Auth Certificate.

Renew Microsoft Exchange Server Auth Certificate with PowerShell

Let’s have a look at the steps on how to renew Microsoft Exchange Server Auth Certificate. Run the below commands in Exchange Management Shell.

Are you looking at how to renew the Microsoft Exchange certificate? Read the article Renew Microsoft Exchange certificate.

Note: You can’t remove the Exchange Server Auth Certificate in most cases. That’s ok, and you will be able to remove the certificate when you create and publish a new Exchange Server Auth Certificate.

1. Create new Microsoft Exchange Server Auth Certificate

Create a new Microsoft Exchange Server Auth Certificate. Run the New-ExchangeCertificate cmdlet. If it asks you to overwrite the certificate that’s already there, press Y and press Enter.

[PS] C:\>New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'C4C5951857150DC2BC89E084DA51DB126A258C4F' (expires 9/28/2026 10:25:25 PM)
Replace it with certificate: '67D37D27B8D3583D5FAD32FC294E287D270E3297' (expires 9/29/2026 9:51:32 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Thumbprint                                Services   Subject
----------                                --------   -------
67D37D27B8D3583D5FAD32FC294E287D270E3297  ....S..    CN=Microsoft Exchange Server Auth Certificate

Copy the new certificate thumbprint because you need it in the next step. In our case, it’s the certificate thumbprint that starts with 67D37D.

You can verify in Exchange Admin Center that the command created the new Microsoft Exchange Server Auth Certificate.

Note: The certificate will be created on all the Exchange Servers (if you have more than one Exchange Server running in the organization).

Renew Microsoft Exchange Server Auth Certificate new

2. Set new certificate for server authentication

The Set-AuthConfig parameter defines Microsoft Exchange as a partner application for server-to-server authentication with other partner applications such as Microsoft SharePoint 2013 and Microsoft Lync 2013 or Skype for Business Server 2015.

Paste the certificate thumbprint which you copied in the previous step in the command. If you select the current day date, you will get a warning that the new effective date is not 48 hours in the future. Press Y and press Enter.

[PS] C:\>Set-AuthConfig -NewCertificateThumbprint "67D37D27B8D3583D5FAD32FC294E287D270E3297" -NewCertificateEffectiveDate (Get-Date)

Confirm
The new certificate effective date is not at least "48" hours in the future and may not be deployed on all necessary servers. Do you wish to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

The PublishCertificate switch specifies that the specified certificate be immediately rolled over as the current certificate. The certificate is deployed immediately to all Client Access servers.

[PS] C:\>Set-AuthConfig -PublishCertificate

The ClearPreviousCertificate switch clears the certificate saved as the previous certificate in the authorization configuration.

[PS] C:\>Set-AuthConfig -ClearPreviousCertificate

3. Restart Microsoft Exchange Service Host Service

Restart the Microsoft Exchange Service Host Service

[PS] C:\>Restart-Service "MSExchangeServiceHost"

4. Restart IIS (Internet Information Services)

Run the IISReset command to restart IIS.

[PS] C:\>iisreset

Another way is to recycle the Outlook on the web and EAC application pools.

[PS] C:\>Restart-WebAppPool "MSExchangeOWAAppPool"
[PS] C:\>Restart-WebAppPool "MSExchangeECPAppPool"

5. Remove old Microsoft Exchange Server Auth Certificate

Remove old Microsoft Exchange Server Auth Certificate from Exchange Admin Center or with PowerShell. Do this on all the Exchange Servers.

You will only have one Microsoft Exchange Server Auth Certificate on each Exchange Server.

Renew Microsoft Exchange Server Auth Certificate final result

Note: In some environments, it may take a couple of hours for the OAuth certificate to be published.

6. Rerun Hybrid Configuration Wizard

If you have an Exchange Hybrid setup, you have to rerun the Hybrid Configuration Wizard to update the changes to Azure Active Directory (Azure AD).

Rerun Hybrid Configuration Wizard

7. Verify Microsoft Exchange Server Auth Certificate validity

Run the Exchange Server Health Checker script to verify that the Microsoft Exchange Server Auth Certificate status is valid.

Renew Microsoft Exchange Server Auth Certificate check

Read more: Renew certificate in Exchange Hybrid »

Conclusion

We showed how to renew the Microsoft Exchange Server Auth Certificate. First, go through the steps as shown to renew the Auth Certificate. After that, you can remove the old Auth certificate. If you have an Exchange Hybrid deployment, rerun the Hybrid Configuration Wizard. As always, verify that the new Microsoft Exchange Server Auth Certificate is valid by running the Exchange Health Checker script.

Did you enjoy this article? You may also like Install Exchange certificate with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 12 Comments

  1. Great tutorial Ali
    How do I have only one Microsoft Exchange Server Auth Certificate as for now I have 3 of them and the server doesn’t like the main certificate

    1. Hi Jean,

      Follow the article to create a new Microsoft Exchange Server Auth Certificate. After that, remove the old Microsoft Exchange Server Auth Certificates.

  2. Hello Ali,

    thank you very much for your courses , they are awesome 🙂
    I have a Wildcard certificate and i want to renew it.
    Since I use this certificate for the whole Organization, assuming that I make the certificate request through another server, how do you think I should renew the certificate in the most error-free way?
    According to my research, i have to first delete my old certificate and import my new certificate and assign the services…
    Thank you advance for your advices

    Best regards

    1. Hi Emre,

      Glad that you like the courses.

      1. Make a backup of the old certificate
      2. Import the new certificate
      3. Specify the Exchange services that you want to assign this new certificate to
      4. Remove the old certificate

      You can use these articles:
      How to export certificate in Exchange Server
      How to import certificate in Exchange Server

      If it’s an Exchange Hybrid, you also need to update the send connector and receive connector. More on that in the article: Renew certificate in Exchange Hybrid.

      1. Hi Ali,
        thank you very much for four advices, i will do it.
        But if I want to assign IIS service after importing the new certificate, I think I will have a problem. I cannot assign IIS to two certificates at the same time, even temporarily. I guess I should unassign the IIS service from the old certificate first.

        1. When you assign the services to the new certificate, it will overwrite the old certificate. That’s how it works.

          Ensure that you apply the changes from Exchange Management Shell or Exchange Admin Center and not directly from Internet Information Services (IIS) Manager.

  3. Hi,ALI,I found that after running the New-ExchangeCertificate command on exchange01, only after the certificate was generated in exchange01, and after performing the following steps, it was prompted that the fingerprint was not found in exchange02.

  4. ~thanks Mate. its very usefull. i was stuck for last one day on this issue. Thanks its resolved now.
    Appreciated.

  5. Thanks for your detailed explanation. Your knowledge is mind-blowing.
    Thanks for your remarkable Help always.. 🙂

Leave a Reply

Your email address will not be published.