Renew an Exchange Delegation Federation Certificate

Jerry Trimmer 21 Reputation points
2023-08-10T19:35:50.3+00:00

I recently noticed my Exchange Delegation Federation certificate ia about to expire. I wanted to go ahead an renew it so Exchange would'n be barking to me about an expired certificate. I followed the procedures here https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help#step-2-configure-the-new-certificate-as-the-federation-certificate and was able to complete Step 1 to create the certificate

I then went to Step 2 "Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint <Thumbprint> -RefreshMetaData" entering the Thumbprint but I got an error that says "Cannot update certificate until the federation trust is provisioned with STS."

We have a standalone Exchange 2019 server with no Federation Trust set up. I assume the certificate we have now must of come from back when we had Exchange Online. Since we don't have any Federation Trust's set up can I go ahead and delete the two certificates (old and new) or is there a way to renew the certificate so it doesn't keep telling me it is expired?

Exchange | Exchange Server | Management
{count} votes

4 answers

Sort by: Most helpful
  1. Syed Shiraz Shahid 290 Reputation points
    2023-08-10T22:01:45.7266667+00:00

    Renewing a Federation Delegation Certificate for Exchange Server 2019 involves a few steps to ensure a smooth process. Here's a step-by-step guide:

    Step 1: Generate a Certificate Signing Request (CSR)

    Open the Exchange Management Shell.

    1. Run the following command to generate a CSR:
    
    New-ExchangeCertificate -GenerateRequest -SubjectName "CN=Federation Delegation" -DomainName federation.domain.com -PrivateKeyExportable $true -KeySize 2048 -Path "C:\FederationDelegation.csr"
    

    Replace federation.domain.com with the appropriate domain name.

    The CSR will be saved to the specified path (e.g., C:\FederationDelegation.csr). Keep this file safe; you'll need it to obtain the renewed certificate.

    Step 2: Obtain the Renewed Certificate

    1. Submit the CSR to your preferred Certificate Authority (CA) or use a third-party CA service to obtain a renewed certificate.

    Step 3: Install the Renewed Certificate

    Once you receive the renewed certificate, open the Exchange Management Shell.

    1. Run the following command to install the renewed certificate:
    
    Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Path\To\RenewedCertificate.cer" -Encoding Byte -ReadCount 0)) -PrivateKeyExportable $true
    

    Replace "C:\Path\To\RenewedCertificate.cer" with the actual path to your renewed certificate file.

    1. Enable the certificate for Federation Delegation:
    
    Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services Federation
    

    Replace <Thumbprint> with the thumbprint of the renewed certificate.

    Step 4: Refresh Federation Metadata

    1. Update the Federation Trust with the new certificate's thumbprint. Run the following command:
    
    Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint <Thumbprint> -RefreshMetaData
    

    Replace <Thumbprint> with the thumbprint of the renewed certificate.

    Step 5: Test the Renewed Certificate

    1. Test the renewed certificate to ensure it's working as expected. You can use tools like the Microsoft Remote Connectivity Analyzer to verify federation functionality.
    1 person found this answer helpful.

  2. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2023-08-10T23:11:36.1933333+00:00

    Hi I think you have two options:

    1. Start from the beginning and Create a new fed trust: https://learn.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-help
    2. Delete the almost expired federation certs and leave it at that.

    If you do not need the federation trust, then 2 is prob ok. But if it still throws errors or irritates, the go with Step 1.

    The OAuth cert is a different issue. Do not let that one expire:

    https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired

    0 comments No comments

  3. Michael Scheidler 1 Reputation point
    2024-05-09T21:00:14.04+00:00

    I attempted update the Federation Trust with the new certificate's thumbprint, I receive the following error:
    "Cannot update certificate until the federation trust is provisioned with STS."

    Thanks in advance!

    0 comments No comments

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.