Exchange ServerExchange Server 2019Microsoft

Exchange federation certificate expired

Renew Federation Certificate in Exchange 2019

Photo of Vikas Jakhmola Vikas JakhmolaLast Updated: March 2, 2025
603 4 minutes read
Exchange fedration certificate expired

How to fix Exchange federation certificate expired error

How to fix Exchange federation certificate expired error

You may suddenly see the error, the exchange Delegation federation on the server has expired.

Usually this is a self-signed certificate created automatically by the hybrid configuration wizard.

It is helpful for Exchange users to share free/busy information.

Therefore, it is valid for 5 years, so it is a chance to ignore its expiry.

However, after 5 years, this will expire, so you have to renew it before it expires.

But what if it is already expired?

If it is expired, you must recreate a new one and replace the old one.

In this article, we will see how we can recreate the federation certificate if it is already expired.

Exchange federation certificate expired

In this case, the federation certificate has already expired.

 

Important Steps to recreate the Federation Certificate

  • Federation certificate is already expired
  • We have to remove the federated domain
  • Remove federation trust
  • Create a new federation certificate
  • Have to configure a fresh certificate as a federation certificate
  • Update the TXT record in the external domain as a federation proof of domain ownership
  • Verify the new federation certificate on all exchange servers
  • Update Metadata for Federation trust
  • Finally add federated domain

How to fix federation certificate Expired Error in Microsoft Exchange 2019

First of all, let’s run the following cmdlet to copy the expired certificate thumbprint.

Get-ExchangeCertificate

 

Exchange federation certificate expired

If your certificate is not expired, then you can run the following cmdlet to renew it.

Get-ExchangeCertificate -Thumbprint 12ED6C07(yourexpiredthumbprint)8E6 | New-ExchangeCertificate -Force -PrivateKeyExportable $true

As we know that our certificate is already expired, so we have to review the federatedOrganizationidentifier and remove it.

 

Removing Federated Domains

To get the federatedOrganizationIdentifier, run the following cmdlet

Get-FederatedOrganizationIdentifier | Format-List AccountNamespace,Domains

You will get your associated domains.

Get-FederatedOrganizationIdentifier

If you have the subdomain or multiple domains, we have to remove them first.

After that, you have to remove the default domain at last. (We have a single domain listed)

Therefore, to remove the default domain run the following cmdlet

Remove-FederatedDomain -DomainName yourdomain –Force

Remove-FederatedDomain

Once the federated domains have been removed.

You can cross-check it by the cmdlet

Get-FederatedOrganizationIdentifier

You will get the following result with blank domains

Get-FederatedOrganizationIdentifier2

Now we have to remove the federation trust

 

Removing federation Trust

To remove the federation trust, we have to run the following cmdlet

Remove-FederationTrust "Microsoft Federation Gateway"

You will see the following result

Remove-FederationTrust

Federation trust is removed now.

Now we have to recreate a new federation self-signed certificate

To create a new federation trust, run the following cmdlet.

$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Delegation Federation" -SubjectName "CN = Federation" -DomainName yourdomainName -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski

After running the above cmdlet, you will see the result as below

create new federation trust

You will get a new thumbprint, so note down the new thumbprint in a notepad.

After doing the above steps, check for Exchange Certificate by running the cmdlet

Get-ExchangeCertificate

There are two federation certificates now, one is old and the other one is newly created.

new federation trust

Now we have to create a new federation trust

 

Creating New Federation Trust

To create a new federation trust, you have run the following cmdlet

Note: Make sure to type your thumbprint

Get-ExchangeCertificate -Thumbprint DBF82YOurNewThumbprint4B79619| New-FederationTrust -Name "Microsoft Federation Gateway"

Once you run the above cmdlet

You will get the result as below

Creating New Federation Trust

Now if you see the Get-ExchangeCertificate cmdlet you will see the new federation service is assigned.

We have to now generate the federated domain proof for our domain to verify the domain ownership, and will update the TXT record in our external DNS zone

To generate the domain proof, we have to run the following cmdlet

Get-FederatedDomainProof –DomainName yourdomain.com

It will appear as below

Get-FederatedDomainProof

Therefore, now you have to update the given TXT record on your external DNS zone.

Once it is done and the txt records are propagated properly, we can update the federation trust with domains by running the following cmdlet

Set-FederatedOrganizationIdentifier -DelegationFederationTrust "Microsoft Federation Gateway" -AccountNamespace icewolf.ch -Enabled $true

To cross check it, we can run the cmdlet Get-FederatedOrganizationIdentifier

You will get the following result

Set-FederatedOrganizationIdentifier

Next step is to refresh the federation trust by running the cmdlet

Set-FederationTrust -RefreshMetadata -Identity "Microsoft Federation Gateway"

to refresh the Exchange federation metadata

Before moving further, try to check if the federation certificate is installed or not.

Run the cmdlet

Test-FederationTrustCertificate

You should see the state result as installed.

Test-FederationTrustCertificate

Now it’s time to test federation trust by running the cmdlet

Test-FederationTrust

If you run the simple cmdlet as above, you may get an error.

So, it’s better to run it with the user such as

Test-FederationTrust –UserIdentity “Administrator”

You should get all the results as success as below

Exchange federation certificate expired fixed

 

 

Removing Expired federation Certificate

After completing all the above steps, if you see the result as success.

You can now remove the expired certificate.

To remove the expired certificate run the following cmdlet.

Remove-ExchangeCertificate -Thumbprint B2F(YourExpiredThumbprint)3B0A7BB6

Therefore, after removing the expired certificate.

Now you can try to log in to the Exchange Admin panel to check if the error is gone.

As you can see, the image below shows that our error has been fixed now.

Now there is no such error related to the expired federation certificate and our new federation certificate is valid.

Exchange federation certificate expired fixed

 

Conclusion

We saw how we can renew and recreate the federation certificate if it is about to expire or already expired.

Therefore, we fixed the error, the Exchange federation certificate expired

It is better to always keep an eye on expiring Exchange certificates, and renew them before they expire.

I hope you like the article, you may also like some more on Microsoft Exchange Server learning

Register for the complete Exchange Administration course

In case of any query related to this post, feel free to contact us at info@techijack.com

Tags
Photo of Vikas Jakhmola Vikas JakhmolaLast Updated: March 2, 2025
603 4 minutes read
Photo of Vikas Jakhmola

Vikas Jakhmola

Vikas Jakhmola, the founder of Techijack, with over 15+ years of experience in the IT industry.

Related Articles

How to fix Exchange well-known object error

Exchange 2019 CU 15 Stuck | Well-Known Object Error

1 day ago
how to configure smtp anonymous relay

How to Set Up SMTP Anonymous Relay Email

September 26, 2024
how to create an email with your own domain

How to Have an Email with Your Own Domain

September 25, 2024
IIS IP Address and Domain Restrictions

IIS IP Address and Domain Restrictions

September 16, 2024
Back to top button