Exchange Delegation Federation / Microsoft Federation Gateway / Renew Certificate
From Ilianko
EAC is alerting for certificate expiration.
It is easier to renew the certificate before expiration.
Generate new self signed certificate from exchange shell
Key Identifier ( Random name for the key)
$:\> $SKI = [System.Guid]::NewGuid().ToString("N");
$:\> echo $SKI
3ecaf8d9942c4fb4848e6201810e0734
Create Key
New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" ` -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true
Thumbprint Subject ---------- ------- 133F83817AD86C127C0A71B92214C52D6B3A4D31 CN=Federation
Set the "next" in exchange
$:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 133F83817AD86C127C0A71B92214C52D6B3A4D31 -RefreshMetaData
WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. ` You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains ` configured for Federation before publishing the new certificate. The new hash-value should be replaced with the OrgNextCertificate proof value output generated with ` "Get-FederatedDomainProof -DomainName example.com".
Update DNS TXT record
Find the TXT record responsible for Federation
$:\>nslookup -type=txt example.com 8.8.8.8
example.com text = "v=spf1 mx -all" example.com text = "google-site-verification=... example.com text = ""
Authoritative answers can be found from:
izqi33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1ZkSqGwma0Fjv4W90bmSE4...
