Renew the federation certificate
[本主題是搶鮮版文件,在未來版本中可能隨時變更。空白的主題是作為內容的預留位置。如果您有任何意見,歡迎您隨時提出!請寄電子郵件至 ExchangeHelpFeedback@microsoft.com。]
Summary: Learn how to update or replace the federation certificate that's used in a federation trust in Exchange 2016.
This topic explains how to update the self-signed federation certificate that's used in a federation trust:
If the federation certificate hasn't expired, follow the steps in the Update a working federation certificate section.
If the federation certificate has already expired, follow the steps in the Replace an expired federation certificate section.
For more information about federation trusts and federation, see 同盟.
What do you need to know before you begin?
What do you need to know before you begin?
Estimated time to complete: 10 minutes.
您必須已獲指派權限,才能執行此程序或這些程序。若要查看您需要的權限,請參閱 "Federation and certificates" entry in the Exchange 基礎結構和 PowerShell 權限 topic.
The procedures in this topic use the Exchange 管理命令介面. 若要了解如何在內部部署 Exchange 組織中開啟 Exchange 管理命令介面,請參閱開啟 Exchange 管理命令介面。
To see if your existing federation certificate has expired, run the following command in the Exchange 管理命令介面:
Get-ExchangeCertificate -Thumbprint (Get-FederationTrust).OrgCertificate.Thumbprint | Format-Table -Auto Thumbprint,NotAfter
如需適用於此主題中程序的快速鍵相關資訊,請參閱 Exchange 系統管理中心的鍵盤快速鍵。
警告
有問題嗎?在 Exchange論壇中尋求協助。此論壇的網址為:Exchange Server、Exchange Online 或 Exchange Online Protection。
Update a working federation certificate
Update a working federation certificate
If the federation certificate hasn't expired, you can update the existing federation trust with a new federation certificate.
Step 1: Create a new federation certificate
Step 1: Create a new federation certificate
Run the following command in the Exchange 管理命令介面 to create a new federation certificate:
$SKI = [System.Guid]::NewGuid().ToString("N"); New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true
For detailed syntax and parameter information, see New-ExchangeCertificate.
The command output contains the thumbprint value of the new certificate. You'll need this value in the remaining steps, and you can copy the value directly from the Exchange 管理命令介面 window:
Right-click anywhere in the Exchange 管理命令介面 window, and select Mark in the dialog that appears.
Select the thumbprint value, and then press ENTER.
For the other procedures in this topic, we'll use the federation certificate thumbprint value: 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73
. Your certificate thumbprint value will be different.
Step 2: Configure the new certificate as the federation certificate
Step 2: Configure the new certificate as the federation certificate
To use the Exchange 管理命令介面 to configure the new certificate as the federation certificate, use the following syntax:
Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint <Thumbprint> -RefreshMetaData
This example uses the certificate thumbprint value 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73
from Step 1.
Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73 -RefreshMetaData
For detailed syntax and parameter information, see Set-FederationTrust.
Note: The command output contains a warning that you need to update the proof of domain ownership TXT record in DNS. You'll do that in the next step.
Step 3: Update the federation proof of domain ownership TXT record in external DNS
Step 3: Update the federation proof of domain ownership TXT record in external DNS
You can safely perform this step now, because the proof of domain ownership TXT record is only checked during activation (Step 5). However, after you update the TXT record, and before you continue to the next step, you need to allow time for the updated TXT record to propagate (based on the time to live or TTL value of the DNS record).
Find the required values for the required TXT record by running the following command in the Exchange 管理命令介面:
Get-FederatedDomainProof -DomainName <Domain> | Format-List Thumbprint,Proof
For example, if your federated domain is contoso.com, run the following command:
Get-FederatedDomainProof -DomainName contoso.com | Format-List Thumbprint,Proof
The command output looks like this:
Thumbprint : <new certificate thumbprint>
(for example,6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73
)Proof : <new hash text>
(for example,znMfbkgSbOQSsWFdsW+gm3to0nZSdE3zbcPPHGVAqdgsLFGsCPuLHiyVbKoPmgyZKX90NH2g1PbCZH0YTQF6oA==
)Thumbprint : <old certificate thumbprint>
(for example,CC9BC204BB4DC60D06FC1F10F3C373DC785DA2A5
)Proof : <old hash text>
(for example,m4gZX7OLr9iOWYJMVjEklQpoSkPb5hSbcFjD7Q3/vsqmdJ2Z+HcSt7j5pzBKFmEW2s27JYr3xsK2POzAI/8Ffw==
)Note that the command output returns information for two proof of domain ownership records: one for the new certificate, and one for the current certificate that you're replacing. You can tell which is which by the thumbprint value, and the hash text value that's configured in the current proof of domain ownership TXT record in your external (public) DNS.
Update the federation proof of domain ownership TXT record in your external DNS. The instructions will vary based on your DNS provider, but you can edit the current TXT record to replace the current hash text value with the new hash text value. For more information, see the Exchange Online section in External Domain Name System records for Office 365.
Step 4: Verify the distribution of the new federation certificate to all Exchange servers
Step 4: Verify the distribution of the new federation certificate to all Exchange servers
Exchange automatically distributes the new federation certificate to all servers, but we need to verify the distribution before we can proceed.
To use the Exchange 管理命令介面 to verify the distribution of the new federation certificate, run the following command:
$Servers = Get-ExchangeServer; $Servers | foreach {Get-ExchangeCertificate -Server $_ | Where {$_.Services -match 'Federation'}} | Format-List Identity,Thumbprint,Services,Subject
Note: In Exchange 2010, the output of the Test-FederationCertificate cmdlet contains server names. The output of the cmdlet in Exchange 2013 or later doesn't include server names.
Step 5: Activate the new federation certificate
Step 5: Activate the new federation certificate
To use the Exchange 管理命令介面 to activate the new federation certificate, run the following command:
Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
For detailed syntax and parameter information, see Set-FederationTrust.
Note: The command output contains a warning that you need to update the proof of domain ownership TXT record in DNS (which you already did in Step 3).
How do you know this worked?
How do you know this worked?
To verify that you've successfully updated the existing federation trust with a new federation certificate, use these steps:
In the Exchange 管理命令介面, run the following command to verify that the new certificate is being used:
Get-FederationTrust | Format-List *priv*
The OrgPrivCertificate property should contain the thumbprint of the new federation certificate.
The OrgPrevPrivCertificate property should contain the thumbprint of the old (replaced) federation certificate.
In the Exchange 管理命令介面, replace <user's email address> with the email address of a user in your org, and run the following command to verify that the federation trust is working:
Test-FederationTrust -UserIdentity <user's email address>
Replace an expired federation certificate
Replace an expired federation certificate
If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust.
If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last. To use the Exchange 管理命令介面 to identify the primary shared domain and all federated domains, run the following command:
Get-FederatedOrganizationIdentifier | Format-List AccountNamespace,Domains
The value of the AccountNamespace property contains the primary shared domain in the format
FYDIBOHF25SPDLT<primary shared domain>
. For example, in the valueFYDIBOHF25SPDLT.contoso.com
, contoso.com is the primary shared domain.Remove each federated domain that isn't the primary shared domain by running the following command in the Exchange 管理命令介面:
Remove-FederatedDomain -DomainName <domain> -Force
After you've removed all other federated domains, remove the primary shared domain by running the following command in the Exchange 管理命令介面:
Remove-FederatedDomain -DomainName <domain> -Force
Remove the federation trust by running the following command in the Exchange 管理命令介面:
Remove-FederationTrust "Microsoft Federation Gateway"
Recreate the federation trust. For instructions, see 建立同盟信任.