Scenario: Here are some notes on upgrading an Exchange On-Premises Certificate in an Exchange Online Hybrid Environment.
#After installing a new Exchange On-Premises Server, Check the following: #0. Renew the Cert(On-Prem EAC) #Create a req #Submit the req #Complete the Cert Request with your Cert Provider #1. Perform a fresh Export and Import of the Cert to all Servers #Do this via Exchange On-Premises EAC --> Servers --> Certificates. Export the Certificate with a password, then turn around and import the certificate on all other servers. #2. Configure Services on the Cert #Find the thumbprint of the Cert on the new server Get-ExchangeCertificate -server <server> #Move the services to the new Cert, #Note: If prompted, select yes or accept to move the SMTP from the old cert to the new cert. Enable-Exchangecertificate -thumbprint <thumbprint> -server <servername> -services IMAP,POP,IIS,SMTP #3. SMTP Routing: #Within Exchange On-Premises #a. Check and Set the Transport Server to the new cert: Get-transportserver -identity <servername> | Select InternalTransportCertificateThumbprint #If the thumbprint is not the new cert, move the SMTP Service, and any other service, to the new certificate enable-exchangecertificate -thumbprint <thumbprint> -services SMTP #Notes: The new Exchange certificate needs to be registered to SMTP for TLS. If this is not done, message routing will break. #For the next two, build the TLSCert Name in Issuer/Subject format: $Cert = Get-ExchangeCertificate -Thumbprint <thumbprint of new certificate> -server <Exchange Server name> $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject) #b. Check and Set the $TLSCert on the Send Connector to ExOnline Get-SendConnector -identity <Office 365 send Connector> | Select TLSCertificateName #If its not using the new cert, run the following Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert #Notes: You will not be able to send email from ExOnPrem to ExOnline until the new $TLSCert matches. Messages will become Queued On-Premises. #c. Check and Set the $TLSCert the Receive Connector Get-ReceiveConnector "<Servername>\Default Frontend <servername>" | Select TLSCertificateName #If its not using the new cert, run the following Get-ReceiveConnector "<Servername>\Default Frontend <Servername>" | Set-ReceiveConnector -TlsCertificateName $TLSCert #Notes: Until the $TLSCert is configured correctly, or matches, there may be a 2-minute delay in receiving messages From Exchange Online to Exchange On-Premises. There could potentially be a delay in message routing breaking completely if the older, expired cert is no longer on the server. #Within Exchange Online #a. Verify the Exchange Online Hybrid Inbound connector (Connector labeled 'Inbound from <GUID> FROM: Your org To: O365') #Within EAC --> Mail Flow --> Connectors, select the inbound connector from 'Your Org' to 'O365' and make sure the $TLSCert matches the "Authenticating Sent Email" Cert name #b. Verify that the TLS properties of the Exchange On-Premises Hybrid Outbound Connector is using a namespace that is hosted as the Subject or Subject Alternative name, in your new certificate #Within EAC --> Mail Flow --> Connectors, select the outbound connector from 'O365' to 'Your Org' and make sure it references namespace (mail.domain.com) that is listed in your certificate as the Subject, or Subject Alternative name. #4. Restart your On-Premises Services #a. Restart IIS, MSExchangePop*, MSExchangeImap*, MSExchangeTransport* #5. Azure App Proxy: Upload and replace the Cert (from step 1) on Azure App Proxy (APP)