Share via

Expired Federation Certificate Deletion

Raymond Brooks 431 Reputation points
2026-04-08T04:09:05.5933333+00:00

Hi, If a server is being moved to SE as SMTP only, all mailboxes have been migrated and there is no need for onprem mailboxes anymore, can the expired Federation certificate be deleted safely? providing its not the only one bound to any service like SMTP or IS of course.

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teddie-D 14,460 Reputation points Microsoft External Staff Moderator
    2026-04-08T04:44:55.7633333+00:00

    Hi @Raymond Brooks 

    In the scenario you described, it is safe to delete the expired Federation certificate. 

    The Federation certificate in Exchange Server is primarily used for federation features such as Free/Busy sharing, organization relationships, and certain hybrid configurations. If your environment has already transitioned to SMTP-only and all mailboxes have been migrated, these federation features are typically no longer needed.   

    Before deleting the certificate, please make sure that: 

    -The certificate is not currently assigned to any services such as SMTP or IIS.  

    -There are no remaining hybrid or federation dependencies with Microsoft 365.  

    -The Federation Trust is no longer required in your environment.  

    If all of the above are confirmed, the expired Federation certificate can be safely removed.  

    I hope this information is helpful. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".          

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.   

  2. Q&A Assist
    2026-04-08T04:09:18.5866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, the expired federation certificate can be removed, but only after the federation trust and federated domains that depend on it have been removed, and only if it is not in use by any other Exchange services.

    For an expired federation certificate in an on-premises Exchange organization where federation is no longer required (for example, all mailboxes are in Exchange Online and the on-premises server is SMTP-only), the supported approach is:

    1. Confirm the certificate is the federation certificate
      • Use the federation trust to identify the current federation certificate thumbprint:
         Get-ExchangeCertificate -Thumbprint (Get-FederationTrust).OrgCertificate.Thumbprint | \
     Format-Table -Auto Thumbprint,NotAfter
    2. If the federation certificate has already expired
      • Remove all federated domains from the federation trust:
         Get-FederatedOrganizationIdentifier | Format-List AccountNamespace,Domains
   Remove-FederatedDomain -DomainName <domain> -Force
      • Remove the primary shared (AccountNamespace) domain last:
         Remove-FederatedDomain -DomainName <primary-domain> -Force
      • Remove the federation trust itself:
         Remove-FederationTrust "Microsoft Federation Gateway"
      If the federation certificate is expired and a normal delete fails with an AccessDenied/1007 error, delete using -Force as documented: 
         Remove-FederatedDomain -DomainName <domain> -Force
   Remove-FederationTrust "Microsoft Federation Gateway"
    3. After the federation trust is removed
      • Once no federation trust or federated domains reference the certificate and it is not bound to IIS/SMTP/POP/IMAP, the expired federation certificate can be safely removed from the server like any other unused certificate.

    Note: By design, after renewing a working federation certificate, the expired certificate associated with the federation trust cannot be removed from the federation trust object itself. In the scenario described, federation is being decommissioned, so the trust is removed entirely instead of renewed.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.