question

eg1995-5273 avatar image
0 Votes"
eg1995-5273 asked joyceshen-MSFT commented

certificate renewal in exchange hybrid

dears,

i have a running hybrid configuration between exchange 2013 and office365 operational since 2 years. i have users running on both on premises and office365.
the public certificate is about to expire this week, i couldnt renew it as i have a problem with the payment.
therefore, i re-issued a new one from another provider, but i still didnt complete the request.
cab you advise please on the procedure?
does it need downtime?
do i need to do anything on the HCW level knowing that the old certificate is used by the HCW and the o365 connector.

your help is appreciated
thank you in advance

office-exchange-online-itprooffice-exchange-server-mailflowoffice-exchange-hybrid-itpro
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @eg1995-5273 , is there any update about your issue? Have you successfully renewed your certificate?

0 Votes 0 ·
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @eg1995-5273 , agree with the steps above.

In short, you will need to apply for a new certificate. The official document here introduces about Create an Exchange Server certificate request for a certification authority and Complete a pending Exchange Server certificate request

Then assign right services to this certificate like IIS, SMTP... Assign certificates to Exchange Server services

Re-run HCW to update the certificate

Use below command to check if the connector have matched the new certificate, if they not matching, you will meet issue like this link introduces: New SSL certificate causing mail flow to fail in hybrid deployments

 Get-ExchangeCertificate -Thumbprint <Thumbprint> |fl
 Get-ReceiveConnector "ConnectorName" |fl Name,TlsCertificateName 

If everything is fine, test mail flow both inside and outside.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 


 


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AshokM-8240 avatar image
1 Vote"
AshokM-8240 answered

Hi,

You can follow the below steps,

  1. Complete the request by selecting the new certificate

  2. Export the certificate and import it on the other exchange servers if any

  3. Assign the services to the certificates - This might require the restart of IIS which affects the client connections, so do if after hours and one at a time.

  4. If you have the certificate on the load balancer, then share the new certificate with the certificate chain to update

  5. Make sure to have the certificate chain installed on all the exchange servers as the provider is different

  6. For HCW, suggest to re-run it if you are planning to use the certificate for the SMTP service and select the new certificate (this wouldn't have been required incase of renewal) - Also make a note of the existing hybrid configuration using the command Get-HybridConfiguration


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

eg1995-5273 avatar image
0 Votes"
eg1995-5273 answered AshokM-8240 commented

hello,

well noted.
one question, if the certificate is expired and i dndt renew it yet.
what would be the behavior that i will faced? other than outlook clients?
will something happen on the mail flow level between onprem and o365?

thank you

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, mailflow between onpremise and O365 will be impacted if the expired certificate has been used for Hybrid and TLS.

If the above answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·