Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Here are the steps to renew the Exchange Federation certificate if its going to Expire soon.
• Create a new federation certificate following the steps below:
$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Federated Sharing" -DomainName $env:<contoso.com> -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski
• Configure the federation trust to use the certificate with the provided thumbprint (generated from above) as the next certificate:
Set-FederationTrust "Microsoft Federation Gateway" -Thumbprint <54A849EFD1951F1A62376FF0B7418B0839FAE26B>
• Ensure this next certificate is rolled across the entire Exchange Organization by running Test-FederationTrustCertificate.
• Once the certificate rollover is confirmed, use the cmdlet below to update MFG to use next certificate as the current certificate:
Set-FederationTrust "Microsoft Federation Gateway" -PublishFederationCertificate
• Anytime to ensure federation metadata and certificate exchange is force triggered run the cmdlet below:
Set-FederationTrust "Microsoft Federation Gateway" -RefreshMetadata
NOTE:- You have to update TXT records for all the domains which were configured for Federation.
WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT
proof-of-ownership records that were previously set in DNS for all the domains configured for Federation. The new
hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with
"Get-FederatedDomainProof -DomainName example.com".