Renew / Revalidate certificate on Edge server and Exchange 2016 server

Question

We are going to revalidate certificate on our Edge server and Exchange 2016. From my understanding, here are the steps:

1. Get new certificate from 3rd party cert authority
2. Install new certificate on Edge server and bind with SMTP service by running:
   a. Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\Certs\filename.cer -Encoding byte -ReadCount 0))
   b. Enable-ExchangeCertificate -Thumbprint -Services SMTP
3. Remove existing Edge Subscriptions on EdgeServer and Exchange2016 (Remove-EdgeSubscription "servername")
4. Create new Edge subscriptions by running New-EdgeSubscription -FileName c:\edge2023.xml
5. Copy c:\edge2023.xml to Exchange2016
6. Run New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “c:\edge2023.xml” -Encoding Byte -ReadCount 0)) -Site “SiteName”
7. In Exchange2016 EAC, select the new certificate and assign to IIS and SMTP.

Questions:

1. Are steps above correct?
2. Do we need to install the new certificate on Exchange2016 first before importing new certificate on Edge server and create new edge subscriptions?
3. Does the Edge server and Exchange2016 use the same certificate? Meaning certificate on both server has the same thumbprint?
4. When creating Edge Subscriptions, and since the connectors already exist, should we run command below to skip building new connectors? New-EdgeSubscription -FileName c:\subscription_2023.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false

Answer 1

I believe when you try to use the same certificate on Edge that you have installed on your on-prem mailbox server, it will fail. The certificate on Edge must be issued from the same CA and have the same subject name as the cert on the mailbox server, but they must be different certificates.

See: https://learn.microsoft.com/en-us/exchange/certificate-requirements

"Each Edge transport server must use a certificate that shares the same issuing CA and the same subject for hybrid secure mail to function correctly."

You can use one certificate on multiple Edge servers with a SAN that includes the external DNS names used for them all.

Answer 2

Hi @Leul Alemayehu,

1. Are steps above correct?
2. Do we need to install the new certificate on Exchange2016 first before importing new certificate on Edge server and create new edge subscriptions?
3. Does the Edge server and Exchange2016 use the same certificate? Meaning certificate on both server has the same thumbprint?
4. When creating Edge Subscriptions, and since the connectors already exist, should we run command below to skip building new connectors? New-EdgeSubscription -FileName c:\subscription_2023.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false

1. Yes, the steps are correct in general. Just note that you would need to remove the old certificate from Edge before deleting and recreating the subscription. See Renew an Exchange Server certificate.
   
2. I don't see it mentioned anywhere in official documents about the order so I assume either is ok. But personally I'd suggest starting from the Exchange server.
3. It's not necessary, but as far as I know, yes, you can use the same certificate on both Exchange2016 and the Edge server.
4. Yes. Below is an article for reference:
   SMTP certificate renewal and EDGE subscription
   (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.