Difference between revisions of "Exchange Delegation Federation / Microsoft Federation Gateway / Renew Certificate"
From Ilianko
(Created page with "Image:certtificate_about_to_expire.png") |
|||
| Line 1: | Line 1: | ||
| + | EAC is alerting for certificate expiration. | ||
| + | |||
[[Image:certtificate_about_to_expire.png]] | [[Image:certtificate_about_to_expire.png]] | ||
| + | |||
| + | It is easier to renew the certificate before expiration. | ||
| + | |||
| + | ==Generate new self signed certificate from exchange shell== | ||
| + | |||
| + | Key Identifier ( Random name for the key) | ||
| + | $:\> $SKI = [System.Guid]::NewGuid().ToString("N"); | ||
| + | $:\> echo $SKI | ||
| + | 3ecaf8d9942c4fb4848e6201810e0734 | ||
| + | |||
| + | Create Key | ||
| + | New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" ` | ||
| + | -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true | ||
| + | |||
| + | Thumbprint Subject | ||
| + | ---------- ------- | ||
| + | 133F83817AD86C127C0A71B92214C52D6B3A4D31 CN=Federation | ||
| + | |||
| + | ==Set the "next" in exchange== | ||
| + | |||
| + | $:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 133F83817AD86C127C0A71B92214C52D6B3A4D31 -RefreshMetaData | ||
| + | |||
| + | WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. ` | ||
| + | You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains ` | ||
| + | configured for Federation before publishing the new certificate. | ||
| + | The new hash-value should be replaced with the OrgNextCertificate proof value output generated with ` | ||
| + | "Get-FederatedDomainProof -DomainName example.com". | ||
| + | |||
| + | ==Update DNS TXT record== | ||
| + | |||
| + | Find the TXT record responsible for Federation | ||
| + | $:\>nslookup -type=txt example.com 8.8.8.8 | ||
| + | |||
| + | example.com text = "v=spf1 mx -all" | ||
| + | example.com text = "google-site-verification=... | ||
| + | example.com text = "" | ||
| + | |||
| + | Authoritative answers can be found from: | ||
| + | |||
| + | |||
| + | izqi33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1ZkSqGwma0Fjv4W90bmSE4... | ||
Revision as of 12:23, 2 December 2019
EAC is alerting for certificate expiration.
It is easier to renew the certificate before expiration.
Generate new self signed certificate from exchange shell
Key Identifier ( Random name for the key)
$:\> $SKI = [System.Guid]::NewGuid().ToString("N");
$:\> echo $SKI
3ecaf8d9942c4fb4848e6201810e0734
Create Key
New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" ` -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true
Thumbprint Subject ---------- ------- 133F83817AD86C127C0A71B92214C52D6B3A4D31 CN=Federation
Set the "next" in exchange
$:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 133F83817AD86C127C0A71B92214C52D6B3A4D31 -RefreshMetaData
WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. ` You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains ` configured for Federation before publishing the new certificate. The new hash-value should be replaced with the OrgNextCertificate proof value output generated with ` "Get-FederatedDomainProof -DomainName example.com".
Update DNS TXT record
Find the TXT record responsible for Federation
$:\>nslookup -type=txt example.com 8.8.8.8
example.com text = "v=spf1 mx -all" example.com text = "google-site-verification=... example.com text = ""
Authoritative answers can be found from:
izqi33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1ZkSqGwma0Fjv4W90bmSE4...
