skip to Main Content

Renew Microsoft Exchange Server Auth Certificate

The Microsoft Exchange Server Auth Certificate is installed when you install an Exchange Server, and it’s 5 years active. Most of the time, you don’t look into that certificate because, within 5 years, you will have a new Exchange Server and decommission the old Exchange Server. What if you accidentally removed the certificate, or it’s giving an error? In this article, we will look at how to renew Microsoft Exchange Server Auth Certificate and check that it’s valid.

Check Microsoft Exchange Server Auth Certificate

Sign in to Exchange Admin Center on-premises. Navigate to servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization. Double-click the Microsoft Exchange Server Auth Certificate.

In our example, we did select the Exchange Server EX01-2016.

Renew Microsoft Exchange Server Auth Certificate EAC

We do see that the certificate thumbprint starts with C4C595.

Renew Microsoft Exchange Server Auth Certificate EAC general

Let’s verify the Exchange Server certificate with Exchange Management Shell.

Run Exchange Management Shell as administrator on Exchange on-premises. Run the command to check the status of the existing OAuth certificate.

[PS] C:\>(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 9/28/2026 10:25:25 PM
NotBefore          : 9/28/2021 10:25:25 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1B6BC2BD4BB4EFA848E6EE110E79241C
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : C4C5951857150DC2BC89E084DA51DB126A258C4F

Let’s say the Exchange Server Auth Certificate is corrupt or not valid. Perhaps you don’t see the Exchange certificate with the above steps. In the next step, we will renew the Exchange Server Auth Certificate.

Renew Microsoft Exchange Server Auth Certificate with PowerShell

Let’s have a look at the steps on how to renew Microsoft Exchange Server Auth Certificate. Run the below commands in Exchange Management Shell.

Note: In most cases, you can’t remove the Exchange Server Auth Certificate. That’s ok, and you will be able to remove the certificate when you create and publish a new Exchange Server Auth Certificate.

1. Create new Microsoft Exchange Server Auth Certificate

Create a new Microsoft Exchange Server Auth Certificate. Run the New-ExchangeCertificate cmdlet. If it asks you to overwrite the certificate that’s already there, press Y and press Enter.

[PS] C:\>New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'C4C5951857150DC2BC89E084DA51DB126A258C4F' (expires 9/28/2026 10:25:25 PM)
Replace it with certificate: '67D37D27B8D3583D5FAD32FC294E287D270E3297' (expires 9/29/2026 9:51:32 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Thumbprint                                Services   Subject
----------                                --------   -------
67D37D27B8D3583D5FAD32FC294E287D270E3297  ....S..    CN=Microsoft Exchange Server Auth Certificate

Copy the new certificate thumbprint because you need it in the next step. In our case, it’s the certificate thumbprint that starts with 67D37D.

You can verify in Exchange Admin Center that the command created the new Microsoft Exchange Server Auth Certificate.

Note: The certificate will be created on all the Exchange Servers (if you have more than one Exchange Server running in the organization).

Renew Microsoft Exchange Server Auth Certificate new

2. Set new certificate for server authentication

The Set-AuthConfig parameter defines Microsoft Exchange as a partner application for server-to-server authentication with other partner applications such as Microsoft SharePoint 2013 and Microsoft Lync 2013 or Skype for Business Server 2015.

Paste the certificate thumbprint which you copied in the previous step in the command. If you select the current day date, you will get a warning that the new effective date is not 48 hours in the future. Press Y and press Enter.

[PS] C:\>Set-AuthConfig -NewCertificateThumbprint "67D37D27B8D3583D5FAD32FC294E287D270E3297" -NewCertificateEffectiveDate (Get-Date)

Confirm
The new certificate effective date is not at least "48" hours in the future and may not be deployed on all necessary servers. Do you wish to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

The PublishCertificate switch specifies that the specified certificate be immediately rolled over as the current certificate. The certificate is deployed immediately to all Client Access servers.

[PS] C:\>Set-AuthConfig -PublishCertificate

The ClearPreviousCertificate switch clears the certificate saved as the previous certificate in the authorization configuration.

[PS] C:\>Set-AuthConfig -ClearPreviousCertificate

3. Restart Microsoft Exchange Service Host Service

Restart the Microsoft Exchange Service Host Service

[PS] C:\>Restart-Service "MSExchangeServiceHost"

4. Restart IIS (Internet Information Services)

Run the IISReset command to restart IIS.

[PS] C:\>iisreset

Another way is to recycle the Outlook on the web and EAC application pools.

[PS] C:\>Restart-WebAppPool "MSExchangeOWAAppPool"
[PS] C:\>Restart-WebAppPool "MSExchangeECPAppPool"

5. Remove old Microsoft Exchange Server Auth Certificate

Remove old Microsoft Exchange Server Auth Certificate from Exchange Admin Center or with PowerShell. Do this on all the Exchange Servers.

You will only have one Microsoft Exchange Server Auth Certificate on each Exchange Server.

Renew Microsoft Exchange Server Auth Certificate final result

6. Rerun Hybrid Configuration Wizard

In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to rerun the Hybrid Configuration Wizard to update the changes to Azure Active Directory (Azure AD).

Rerun Hybrid Configuration Wizard

7. Verify Microsoft Exchange Server Auth Certificate validity

Run the Exchange Server Health Checker script to verify that the Microsoft Exchange Server Auth Certificate status is valid.

Renew Microsoft Exchange Server Auth Certificate check

Read more: Renew certificate in Exchange hybrid »

Conclusion

We showed how to renew the Microsoft Exchange Server Auth Certificate. First, go through the steps as shown to renew the Auth Certificate. After that, you can remove the old Auth certificate. If you have an Exchange hybrid deployment, rerun the Hybrid Configuration Wizard. As always, verify that the new Microsoft Exchange Server Auth Certificate is valid by running the Exchange Health Checker script.

Did you enjoy this article? You may also like Install Exchange certificate with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *