Notes on upgrading an Exchange On-Premises Certificate in a Exchange Online Hybrid Environment

Scenario: Here are some notes on upgrading an Exchange On-Premises Certificate in an Exchange Online Hybrid Environment.


#After installing a new Exchange On-Premises Server, Check the following:

    #0. Renew the Cert(On-Prem EAC)

            #Create a req
            #Submit the req
            #Complete the Cert Request with your Cert Provider

    #1. Perform a fresh Export and Import of the Cert to all Servers
            #Do this via Exchange On-Premises EAC --> Servers --> Certificates.   Export the Certificate with a password, then turn around and import the certificate on all other servers.

    #2. Configure Services on the Cert
            #Find the thumbprint of the Cert on the new server
                Get-ExchangeCertificate -server <server> 
            #Move the services to the new Cert, #Note: If prompted, select yes or accept to move the SMTP from the old cert to the new cert.
                Enable-Exchangecertificate -thumbprint <thumbprint> -server <servername> -services IMAP,POP,IIS,SMTP


    #3. SMTP Routing:
            #Within Exchange On-Premises
                #a. Check and Set the Transport Server to the new cert:
                        Get-transportserver -identity <servername> | Select InternalTransportCertificateThumbprint
                    #If the thumbprint is not the new cert, move the SMTP Service, and any other service, to the new certificate
                        enable-exchangecertificate -thumbprint <thumbprint> -services SMTP 
                    #Notes: The new Exchange certificate needs to be registered to SMTP for TLS. If this is not done, message routing will break.

                    #For the next two, build the TLSCert Name in Issuer/Subject format:
                        $Cert = Get-ExchangeCertificate -Thumbprint <thumbprint of new certificate> -server <Exchange Server name>
                        $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)

            #b. Check and Set the $TLSCert on the Send Connector to ExOnline
                        Get-SendConnector -identity <Office 365 send Connector> | Select TLSCertificateName
                    #If its not using the new cert,  run the following
                        Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert
                    #Notes: You will not be able to send email from ExOnPrem to ExOnline until the new $TLSCert matches.  Messages will become Queued On-Premises.
            #c. Check and Set the $TLSCert the Receive Connector
                        Get-ReceiveConnector "<Servername>\Default Frontend <servername>" | Select TLSCertificateName
                    #If its not using the new cert,  run the following
                        Get-ReceiveConnector "<Servername>\Default Frontend <Servername>" | Set-ReceiveConnector -TlsCertificateName $TLSCert
                    #Notes: Until the $TLSCert is configured correctly, or matches, there may be a 2-minute delay in receiving messages From Exchange Online to Exchange On-Premises. There could potentially be a delay in message routing breaking completely if the older, expired cert is no longer on the server.

           #Within Exchange Online 
           #a. Verify the Exchange Online Hybrid Inbound connector (Connector labeled  'Inbound from <GUID>    FROM:  Your org    To: O365')
                    #Within EAC --> Mail Flow --> Connectors, select the inbound connector from 'Your Org' to 'O365' and make sure the $TLSCert matches the "Authenticating Sent Email" Cert name
            #b. Verify that the TLS properties of the Exchange On-Premises Hybrid Outbound Connector is using a namespace that is hosted as the Subject or Subject Alternative name, in your new certificate
                    #Within EAC --> Mail Flow --> Connectors, select the outbound connector from 'O365' to 'Your Org' and make sure it references namespace ( that is listed in your certificate as the Subject, or Subject Alternative name.

    #4. Restart your On-Premises Services
         #a. Restart IIS, MSExchangePop*, MSExchangeImap*, MSExchangeTransport*


    #5. Azure App Proxy:  Upload and replace the Cert (from step 1) on Azure App Proxy (APP)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: