certificate renewal in exchange hybrid

eg1995 1,131 Reputation points
2020-09-24T08:59:27.513+00:00

dears,

i have a running hybrid configuration between exchange 2013 and office365 operational since 2 years. i have users running on both on premises and office365.
the public certificate is about to expire this week, i couldnt renew it as i have a problem with the payment.
therefore, i re-issued a new one from another provider, but i still didnt complete the request.
cab you advise please on the procedure?
does it need downtime?
do i need to do anything on the HCW level knowing that the old certificate is used by the HCW and the o365 connector.

your help is appreciated
thank you in advance

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,207 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,367 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,900 questions
Accepted answer
  1. Joyce Shen - MSFT 16,646 Reputation points
    2020-09-25T02:25:54.237+00:00

    Hi @eg1995 , agree with the steps above.

    In short, you will need to apply for a new certificate. The official document here introduces about Create an Exchange Server certificate request for a certification authority and Complete a pending Exchange Server certificate request

    Then assign right services to this certificate like IIS, SMTP... Assign certificates to Exchange Server services

    Re-run HCW to update the certificate

    Use below command to check if the connector have matched the new certificate, if they not matching, you will meet issue like this link introduces: New SSL certificate causing mail flow to fail in hybrid deployments 

    Get-ExchangeCertificate -Thumbprint <Thumbprint> |fl  
Get-ReceiveConnector "ConnectorName" |fl Name,TlsCertificateName

    If everything is fine, test mail flow both inside and outside.

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
     

     

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ashok M 6,506 Reputation points
    2020-09-24T12:32:30.893+00:00

    Hi,

    You can follow the below steps,

    1. Complete the request by selecting the new certificate
    2. Export the certificate and import it on the other exchange servers if any
    3. Assign the services to the certificates - This might require the restart of IIS which affects the client connections, so do if after hours and one at a time.
    4. If you have the certificate on the load balancer, then share the new certificate with the certificate chain to update
    5. Make sure to have the certificate chain installed on all the exchange servers as the provider is different
    6. For HCW, suggest to re-run it if you are planning to use the certificate for the SMTP service and select the new certificate (this wouldn't have been required incase of renewal) - Also make a note of the existing hybrid configuration using the command Get-HybridConfiguration
    1 person found this answer helpful.
    0 comments
  2. eg1995 1,131 Reputation points
    2020-09-25T09:38:55.493+00:00

    hello,

    well noted.
    one question, if the certificate is expired and i dndt renew it yet.
    what would be the behavior that i will faced? other than outlook clients?
    will something happen on the mail flow level between onprem and o365?

    thank you