Hi, @JanakKhadka
Renewing your SSL certificate and ensuring that it's properly configured in your Exchange hybrid environment is a complex process indeed.
I try to give you some suggestions:
1.It is generally recommended to use separate SSL certificates for Mailbox servers and Edge servers. The main reason is enhanced security by isolating internal and external communication channels.
2.a. Certificate renewal on Mailbox servers: Import new SSL certificates on both Mailbox servers. Configure the service (IIS, SMTP, etc.) to use the new certificate. Verify certificate bindings and ensure that they match the expected service.
b. Certificate renewal on Edge Servers: Import new SSL certificates on both Edge Servers. Configure the Edge Transport service to use the new certificate. Verify that the certificate is correctly assigned to the SMTP service on the Edge Server.
3.If you renew or replace a certificate issued by a CA on an Edge Transport server that you have subscribed to, you will need to delete the old certificate and then delete and recreate the Edge subscription.
There are good guides that might help you Edge Subscriptions | Microsoft Learn
Update Edge Server Certificate in a Hybrid Exchange Environment – IT Blog (ldlnet.net)
4.Best practices for SSL management in hybrid settings
a. Use a centralized certificate management system to keep track of all SSL certificates, their expiration dates, and renewal processes. This helps prevent certificates from expiring and ensures timely updates. Second, always get an SSL certificate from a trusted certificate authority (CA). Avoid using self-signed certificates in production environments, as they can cause trust issues and security warnings.
b. Regularly monitoring the health and status of your SSL certificate can reduce the risk of certificate expiration.
c. Ensure that the SSL certificate uses a strong encryption algorithm and key length. Avoid using deprecated protocols and passwords to maintain a high level of security. Keep all systems, including servers and network equipment, up to date with the latest security patches and updates. This helps prevent vulnerabilities that can be exploited.
Similar cases for your reference: Renew / Revalidate certificate on Edge server and Exchange 2016 server - Microsoft Q&A
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".