Difference between revisions of "Exchange Delegation Federation / Microsoft Federation Gateway / Renew Certificate"
From Ilianko
(Created page with "Image:certtificate_about_to_expire.png") |
|||
Line 1: | Line 1: | ||
+ | EAC is alerting for certificate expiration. | ||
+ | |||
[[Image:certtificate_about_to_expire.png]] | [[Image:certtificate_about_to_expire.png]] | ||
+ | |||
+ | It is easier to renew the certificate before expiration. | ||
+ | |||
+ | ==Generate new self signed certificate from exchange shell== | ||
+ | |||
+ | Key Identifier ( Random name for the key) | ||
+ | $:\> $SKI = [System.Guid]::NewGuid().ToString("N"); | ||
+ | $:\> echo $SKI | ||
+ | 3ecaf8d9942c4fb4848e6201810e0734 | ||
+ | |||
+ | Create Key | ||
+ | New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" ` | ||
+ | -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true | ||
+ | |||
+ | Thumbprint Subject | ||
+ | ---------- ------- | ||
+ | 133F83817AD86C127C0A71B92214C52D6B3A4D31 CN=Federation | ||
+ | |||
+ | ==Set the "next" in exchange== | ||
+ | |||
+ | $:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 133F83817AD86C127C0A71B92214C52D6B3A4D31 -RefreshMetaData | ||
+ | |||
+ | WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. ` | ||
+ | You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains ` | ||
+ | configured for Federation before publishing the new certificate. | ||
+ | The new hash-value should be replaced with the OrgNextCertificate proof value output generated with ` | ||
+ | "Get-FederatedDomainProof -DomainName example.com". | ||
+ | |||
+ | ==Update DNS TXT record== | ||
+ | |||
+ | Find the TXT record responsible for Federation | ||
+ | $:\>nslookup -type=txt example.com 8.8.8.8 | ||
+ | |||
+ | example.com text = "v=spf1 mx -all" | ||
+ | example.com text = "google-site-verification=... | ||
+ | example.com text = "" | ||
+ | |||
+ | Authoritative answers can be found from: | ||
+ | |||
+ | |||
+ | izqi33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1ZkSqGwma0Fjv4W90bmSE4... |
Revision as of 12:23, 2 December 2019
EAC is alerting for certificate expiration.
It is easier to renew the certificate before expiration.
Generate new self signed certificate from exchange shell
Key Identifier ( Random name for the key)
$:\> $SKI = [System.Guid]::NewGuid().ToString("N"); $:\> echo $SKI 3ecaf8d9942c4fb4848e6201810e0734
Create Key
New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" ` -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true
Thumbprint Subject ---------- ------- 133F83817AD86C127C0A71B92214C52D6B3A4D31 CN=Federation
Set the "next" in exchange
$:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 133F83817AD86C127C0A71B92214C52D6B3A4D31 -RefreshMetaData
WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. ` You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains ` configured for Federation before publishing the new certificate. The new hash-value should be replaced with the OrgNextCertificate proof value output generated with ` "Get-FederatedDomainProof -DomainName example.com".
Update DNS TXT record
Find the TXT record responsible for Federation
$:\>nslookup -type=txt example.com 8.8.8.8
example.com text = "v=spf1 mx -all" example.com text = "google-site-verification=... example.com text = ""
Authoritative answers can be found from:
izqi33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1ZkSqGwma0Fjv4W90bmSE4...