Renew the federation certificate

  • 發行項

[本主題是搶鮮版文件,在未來版本中可能隨時變更。空白的主題是作為內容的預留位置。如果您有任何意見,歡迎您隨時提出!請寄電子郵件至 ExchangeHelpFeedback@microsoft.com。]

Summary: Learn how to update or replace the federation certificate that's used in a federation trust in Exchange 2016.

This topic explains how to update the self-signed federation certificate that's used in a federation trust:

  • If the federation certificate hasn't expired, follow the steps in the Update a working federation certificate section.

  • If the federation certificate has already expired, follow the steps in the Replace an expired federation certificate section.

For more information about federation trusts and federation, see 同盟.

What do you need to know before you begin?

What do you need to know before you begin?

  • Estimated time to complete: 10 minutes.

  • 您必須已獲指派權限,才能執行此程序或這些程序。若要查看您需要的權限,請參閱 "Federation and certificates" entry in the Exchange 基礎結構和 PowerShell 權限 topic.

  • The procedures in this topic use the Exchange 管理命令介面. 若要了解如何在內部部署 Exchange 組織中開啟 Exchange 管理命令介面,請參閱開啟 Exchange 管理命令介面

  • To see if your existing federation certificate has expired, run the following command in the Exchange 管理命令介面:

    Get-ExchangeCertificate -Thumbprint (Get-FederationTrust).OrgCertificate.Thumbprint | Format-Table -Auto Thumbprint,NotAfter

  • 如需適用於此主題中程序的快速鍵相關資訊,請參閱 Exchange 系統管理中心的鍵盤快速鍵

警告

有問題嗎?在 Exchange論壇中尋求協助。此論壇的網址為:Exchange ServerExchange OnlineExchange Online Protection

Update a working federation certificate

Update a working federation certificate

If the federation certificate hasn't expired, you can update the existing federation trust with a new federation certificate.

Step 1: Create a new federation certificate

Step 1: Create a new federation certificate

Run the following command in the Exchange 管理命令介面 to create a new federation certificate:

$SKI = [System.Guid]::NewGuid().ToString("N"); New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true

For detailed syntax and parameter information, see New-ExchangeCertificate.

The command output contains the thumbprint value of the new certificate. You'll need this value in the remaining steps, and you can copy the value directly from the Exchange 管理命令介面 window:

  1. Right-click anywhere in the Exchange 管理命令介面 window, and select Mark in the dialog that appears.

  2. Select the thumbprint value, and then press ENTER.

For the other procedures in this topic, we'll use the federation certificate thumbprint value: 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73. Your certificate thumbprint value will be different.

Step 2: Configure the new certificate as the federation certificate

Step 2: Configure the new certificate as the federation certificate

To use the Exchange 管理命令介面 to configure the new certificate as the federation certificate, use the following syntax:

Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint <Thumbprint> -RefreshMetaData

This example uses the certificate thumbprint value 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73 from Step 1.

Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73 -RefreshMetaData

For detailed syntax and parameter information, see Set-FederationTrust.

Note: The command output contains a warning that you need to update the proof of domain ownership TXT record in DNS. You'll do that in the next step.

Step 3: Update the federation proof of domain ownership TXT record in external DNS

Step 3: Update the federation proof of domain ownership TXT record in external DNS

You can safely perform this step now, because the proof of domain ownership TXT record is only checked during activation (Step 5). However, after you update the TXT record, and before you continue to the next step, you need to allow time for the updated TXT record to propagate (based on the time to live or TTL value of the DNS record).

  1. Find the required values for the required TXT record by running the following command in the Exchange 管理命令介面:

    Get-FederatedDomainProof -DomainName <Domain> | Format-List Thumbprint,Proof

    For example, if your federated domain is contoso.com, run the following command:

    Get-FederatedDomainProof -DomainName contoso.com | Format-List Thumbprint,Proof

    The command output looks like this:

    Thumbprint : <new certificate thumbprint> (for example, 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73)

    Proof : <new hash text> (for example, znMfbkgSbOQSsWFdsW+gm3to0nZSdE3zbcPPHGVAqdgsLFGsCPuLHiyVbKoPmgyZKX90NH2g1PbCZH0YTQF6oA==)

    Thumbprint : <old certificate thumbprint> (for example, CC9BC204BB4DC60D06FC1F10F3C373DC785DA2A5)

    Proof : <old hash text> (for example, m4gZX7OLr9iOWYJMVjEklQpoSkPb5hSbcFjD7Q3/vsqmdJ2Z+HcSt7j5pzBKFmEW2s27JYr3xsK2POzAI/8Ffw==)

    Note that the command output returns information for two proof of domain ownership records: one for the new certificate, and one for the current certificate that you're replacing. You can tell which is which by the thumbprint value, and the hash text value that's configured in the current proof of domain ownership TXT record in your external (public) DNS.

  2. Update the federation proof of domain ownership TXT record in your external DNS. The instructions will vary based on your DNS provider, but you can edit the current TXT record to replace the current hash text value with the new hash text value. For more information, see the Exchange Online section in External Domain Name System records for Office 365.

Step 4: Verify the distribution of the new federation certificate to all Exchange servers

Step 4: Verify the distribution of the new federation certificate to all Exchange servers

Exchange automatically distributes the new federation certificate to all servers, but we need to verify the distribution before we can proceed.

To use the Exchange 管理命令介面 to verify the distribution of the new federation certificate, run the following command:

$Servers = Get-ExchangeServer; $Servers | foreach {Get-ExchangeCertificate -Server $_ | Where {$_.Services -match 'Federation'}} | Format-List Identity,Thumbprint,Services,Subject

Note: In Exchange 2010, the output of the Test-FederationCertificate cmdlet contains server names. The output of the cmdlet in Exchange 2013 or later doesn't include server names.

Step 5: Activate the new federation certificate

Step 5: Activate the new federation certificate

To use the Exchange 管理命令介面 to activate the new federation certificate, run the following command:

Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate

For detailed syntax and parameter information, see Set-FederationTrust.

Note: The command output contains a warning that you need to update the proof of domain ownership TXT record in DNS (which you already did in Step 3).

How do you know this worked?

How do you know this worked?

To verify that you've successfully updated the existing federation trust with a new federation certificate, use these steps:

  • In the Exchange 管理命令介面, run the following command to verify that the new certificate is being used:

    Get-FederationTrust | Format-List *priv*

    • The OrgPrivCertificate property should contain the thumbprint of the new federation certificate.

    • The OrgPrevPrivCertificate property should contain the thumbprint of the old (replaced) federation certificate.

  • In the Exchange 管理命令介面, replace <user's email address> with the email address of a user in your org, and run the following command to verify that the federation trust is working:

    Test-FederationTrust -UserIdentity <user's email address>

Replace an expired federation certificate

Replace an expired federation certificate

If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust.

  1. If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last. To use the Exchange 管理命令介面 to identify the primary shared domain and all federated domains, run the following command:

    Get-FederatedOrganizationIdentifier | Format-List AccountNamespace,Domains

    The value of the AccountNamespace property contains the primary shared domain in the format FYDIBOHF25SPDLT<primary shared domain>. For example, in the value FYDIBOHF25SPDLT.contoso.com, contoso.com is the primary shared domain.

  2. Remove each federated domain that isn't the primary shared domain by running the following command in the Exchange 管理命令介面:

    Remove-FederatedDomain -DomainName <domain> -Force

  3. After you've removed all other federated domains, remove the primary shared domain by running the following command in the Exchange 管理命令介面:

    Remove-FederatedDomain -DomainName <domain> -Force

  4. Remove the federation trust by running the following command in the Exchange 管理命令介面:

    Remove-FederationTrust "Microsoft Federation Gateway"

  5. Recreate the federation trust. For instructions, see 建立同盟信任.