Exchange Delegation Federation certificate expired

Joshua Thompson 201 Reputation points

My Exchange Delegation Federation certificate on my Exchange 2016 on-premises server has expired.
We have a hybrid setup with Exchange online.

Other than some test mailboxes on the on-premises Exchange 2016 all main mailboxes live on Exchange online.

What is this expired cert used for?
Do I need to renew it?

It has been expired for two weeks and I am not noticing any issues.

I would like to better understand its purpose and use.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,781 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 137.9K Reputation points MVP

    Well the hybrid configuration depends on it and is used essentially for free/busy sharing between your on-prem org and Exchange Online.

    With all your mailboxes in ExO, you haven't noticed it however :)

    If you re-run the Hybrid Wizard it will look for a valid Federation Cert and throw an error if one doesnt exist.

    Of course there is no absolute requirement to have it in your scenario, but it wouldnt hurt to create a new one and clean that up either

    and its pretty easy to do.

    2 people found this answer helpful.

  2. Joyce Shen - MSFT 16,626 Reputation points

    Hi @Joshua Thompson , as said above, the expiration of the federation certificate may cause the issue unable to retrieve free/busy and calendar information between the two environments.

    If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust. If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last.

    mainly steps list below:

    1. Document the existing trust settings (federated domains, federation settings)
    2. Force remove each federated domain from the federation
    3. Remove the federation trust
    4. Wait for AD replication
    5. Create a new self-signed federation certificate
    6. Create a new federation trust
    7. Update the trust organisation information
    8. Configure the required settings in the trust (as per the documentation you created in step 1)
    9. Wait for AD replication
    10. Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
    11. Add each of the federated domains back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation)

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Joshua Thompson 201 Reputation points

    Thank you both for the reply.

    Will running through these steps impact mail flow at all?

  4. Angel Castillo 31 Reputation points

    @Andy David - MVP can you please look at my previous post and give me some guidance on this? I've also seen other posts in other places similar to my scenario and they were successful at removing the trust from their Exchange Admin Center and recreating it which updated everything with the new cert and all is good. I'm hoping my case is the same and that I can follow those steps as well.

    0 comments No comments