regenerate Microsoft Exchange Server Auth Certificate in a hybrid environment

Question

regenerate Microsoft Exchange Server Auth Certificate in a hybrid environment

pazzoide76 301

Hello,
currently i have a hybrid infrastructure consisting of exchange 2016 standard with cu20.
I wanted to install the cu21 and the July 2021 security patch on the exchange.
Looking at the instructions on how to install the patch (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421) I saw that you need to verify that the Microsoft Exchange Server Auth Certificate is valid.
Looking from the ecp it tells me that the certificate expired on 06/08/2021.
But at the moment I am able to enter both the owa and the ecp
So before proceeding with the installation of the July cu21 + security patch I would like to proceed to regenerate it.
I found this procedure https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html which is not official microsoft and ecp is used.
Alternatively I found the official microsoft one https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired.
In the official microsoft procedure there is a note that says:
Change the value of the DomainName parameter in the example (contoso.com) to the SMTP domain that's used in your organization.
Since I have multiple smtp domains which one should I use? The default one?
Does the regeneration of the Microsoft Exchange Server Auth Certificate impact the hybrid infrastructure?

Thank you

Greetings

Accepted answer

0 additional answers

Your answer

Answer 1

Yuki Sun-MSFT 41,376 Moderator

Hi @pazzoide76 ,

Since I have multiple smtp domains which one should I use? The default one?

According to this document, the DomainName parameter is corresponding to the Subject Alternative Name field of the certificate request or self-signed certificate. So we can have a check from the ecp and see what is(are) included in the Subject Alternative Name field of the old Microsoft Exchange Server Auth Certificate, then use the same value(s) when creating the new certificate:

Does the regeneration of the Microsoft Exchange Server Auth Certificate impact the hybrid infrastructure?

As mentioned in this official article you shared above, for hybrid environment, you would need to rerun the Hybrid Configuration Wizard to update the changes to Azure Active Directory (Azure AD). Otherwise according to what I've seen in other threads, the end users might encouter issues like cannot see free/busy info.

In addition, regarding to the note that "it may take an hour for the OAuth certificate to be published" included in the screenshot above, as discussed in this feedback of the document, it may take several more hours due to the timezone issue.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

pazzoide76 301 Reputation points

2021-08-05T07:12:54.013+00:00

Thank you,
of the answer.
I have looked at the subject alternative Names field of my certificate and it is empty and I cannot understand why.

So I would like to understand how to resolve the situation.
Also I wanted to understand if I have to wait for the OAuth certificate to be published before running Hybrid Configuration Wizard.

Thank you

Greetings
Yuki Sun-MSFT 41,376 Reputation points Moderator

2021-08-05T08:39:06.22+00:00
Hi @pazzoide76 ,

Considering that here's a public forum, I've edited the screenshot you shared above to remove the web address part which includes your domain name so as to protect the personal information.

As per your concerns about the empty Subject alternative Names field of the expired certificate, as far as I know, this is expected if it's still the original certificate created automatically with the installation of Exchange server, or the certificate was last renewed by clicking the Renew button in EAC. I tried searching a lot about this but cannot find an official document explictly stating what are actually used in this scenario. Also according to my test, the DomainName parameter cannot be omitted when manually creating a new OAuth certificate using the command. Given this, I would recommend including all the SMTP domains you are using in your scenario and separating them by commas . For example:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName contoso.com,domain.name

Also I wanted to understand if I have to wait for the OAuth certificate to be published before running Hybrid Configuration Wizard.

Yes, run HCW again after the OAuth certificate is published.
pazzoide76 301 Reputation points

2021-08-05T09:25:52.66+00:00

thank you so much for the support
pazzoide76 301 Reputation points

2021-08-05T15:20:31.02+00:00

Hello,
another question.
To regenerate the certificate I have found two procedures.
The first is this https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
The second is this https://www.nucleustechnologies.com/blog/resolve-the-auth-certificate-missing-error-in-exchange-2016-2013/
Are they equivalent?
Yuki Sun-MSFT 41,376 Reputation points Moderator

2021-08-06T01:51:40.067+00:00

Hi @pazzoide76 ,

Although there are some slight difference between the two links, the overall procedure are almost identical. But I would suggest following the steps in the first article as that's the officially recommended procedure and also seems more complete to me.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
pazzoide76 301 Reputation points

2021-08-06T09:34:48.273+00:00

Hello,
thanks for your answer.
I tried to carry out the official microsoft procedure but in my opinion one step is missing.
After launching the New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $ true -SubjectName "cn = Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName contoso.com command I am asked if I want to overwrite the certificate.
Looking at the thumbprint that is proposed, it is not the one relating to the old Microsoft Exchange Server Auth Certificate but to the Microsoft Exchange self signed certificate and therefore in my opinion it should not be replaced.
I'm wrong?
Yuki Sun-MSFT 41,376 Reputation points Moderator

2021-08-06T10:10:58.553+00:00

Hi @pazzoide76 ,

Yes, you're correct. Choose "N" when prompted to overwrite the certificate.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
pazzoide76 301 Reputation points

2021-08-06T15:00:45.46+00:00

Hello,
thanks for your answer.
I set up a laboratory to test the procedure.
At the end of the procedure I have a new Microsoft Exchange Server Auth Certificate which is valid and the old certificate which is no longer valid.
Can the old certificate be removed from the ecp by doing the delete (the trash button)?
If I don't delete it, does it create any problems?
Yuki Sun-MSFT 41,376 Reputation points Moderator

2021-08-09T02:00:17.527+00:00

Hi @pazzoide76 ,

Can the old certificate be removed from the ecp by doing the delete (the trash button)?

Yes, the old certificate can be removed directly.

If I don't delete it, does it create any problems?

No. Normally it won't cause any problems if you don't delete it as it's already an invalid certificate. But I would just remove the old one since it's not useful any more.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

regenerate Microsoft Exchange Server Auth Certificate in a hybrid environment

0 additional answers

Your answer