Scenario: Here are some notes on upgrading an Exchange On-Premises Certificate in an Exchange Online Hybrid Environment.
Notes:
#After installing a new Exchange On-Premises Server, Check the following:
#0. Renew the Cert(On-Prem EAC)
#Create a req
#Submit the req
#Complete the Cert Request with your Cert Provider
#1. Perform a fresh Export and Import of the Cert to all Servers
#Do this via Exchange On-Premises EAC --> Servers --> Certificates. Export the Certificate with a password, then turn around and import the certificate on all other servers.
#2. Configure Services on the Cert
#Find the thumbprint of the Cert on the new server
Get-ExchangeCertificate -server <server>
#Move the services to the new Cert, #Note: If prompted, select yes or accept to move the SMTP from the old cert to the new cert.
Enable-Exchangecertificate -thumbprint <thumbprint> -server <servername> -services IMAP,POP,IIS,SMTP
#3. SMTP Routing:
#Within Exchange On-Premises
#a. Check and Set the Transport Server to the new cert:
Get-transportserver -identity <servername> | Select InternalTransportCertificateThumbprint
#If the thumbprint is not the new cert, move the SMTP Service, and any other service, to the new certificate
enable-exchangecertificate -thumbprint <thumbprint> -services SMTP
#Notes: The new Exchange certificate needs to be registered to SMTP for TLS. If this is not done, message routing will break.
#For the next two, build the TLSCert Name in Issuer/Subject format:
$Cert = Get-ExchangeCertificate -Thumbprint <thumbprint of new certificate> -server <Exchange Server name>
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
#b. Check and Set the $TLSCert on the Send Connector to ExOnline
Get-SendConnector -identity <Office 365 send Connector> | Select TLSCertificateName
#If its not using the new cert, run the following
Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert
#Notes: You will not be able to send email from ExOnPrem to ExOnline until the new $TLSCert matches. Messages will become Queued On-Premises.
#c. Check and Set the $TLSCert the Receive Connector
Get-ReceiveConnector "<Servername>\Default Frontend <servername>" | Select TLSCertificateName
#If its not using the new cert, run the following
Get-ReceiveConnector "<Servername>\Default Frontend <Servername>" | Set-ReceiveConnector -TlsCertificateName $TLSCert
#Notes: Until the $TLSCert is configured correctly, or matches, there may be a 2-minute delay in receiving messages From Exchange Online to Exchange On-Premises. There could potentially be a delay in message routing breaking completely if the older, expired cert is no longer on the server.
#Within Exchange Online
#a. Verify the Exchange Online Hybrid Inbound connector (Connector labeled 'Inbound from <GUID> FROM: Your org To: O365')
#Within EAC --> Mail Flow --> Connectors, select the inbound connector from 'Your Org' to 'O365' and make sure the $TLSCert matches the "Authenticating Sent Email" Cert name
#b. Verify that the TLS properties of the Exchange On-Premises Hybrid Outbound Connector is using a namespace that is hosted as the Subject or Subject Alternative name, in your new certificate
#Within EAC --> Mail Flow --> Connectors, select the outbound connector from 'O365' to 'Your Org' and make sure it references namespace (mail.domain.com) that is listed in your certificate as the Subject, or Subject Alternative name.
#4. Restart your On-Premises Services
#a. Restart IIS, MSExchangePop*, MSExchangeImap*, MSExchangeTransport*
#5. Azure App Proxy: Upload and replace the Cert (from step 1) on Azure App Proxy (APP)
Ex-Shell 