Share via

Delegation Certificate renewal

Glenn Maxwell 13,346 Reputation points
2026-03-03T11:41:04.2366667+00:00

Hi All,

I am running a hybrid environment with Microsoft Exchange Server Subscription Edition All user mailboxes are created on-premises and then migrated to Exchange Online. I have replaced my actual domain name with contoso.com in the examples below. My Exchange Delegation Federation certificate is expiring, and I need guidance on the correct renewal process.

Current Status: In the Exchange Admin Center → Servers → Certificates, the certificate Exchange Delegation Federation shows Status: Valid, Issuer: CN=Federation, Subject: CN=Federation, Subject Alternative Name: Federation, and Services: SMTP.

cert

I am referring to the following Microsoft article:

https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help#update-a-working-federation-certificate

I would appreciate confirmation if my understanding is correct and please correct me with the syntaxes as my cert is expiring tomorrow.

  1. Create a new federation certificate:

$SKI = [System.Guid]::NewGuid().ToString("N"); New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true

Do I need to run this command separately for contoso.com and abc.contoso.com, or is a single certificate with -DomainName 'Federation' sufficient?

  1. updating the federation trust

Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint <NewThumbprint> -RefreshMetaData

Should identity be Microsoft Federation Gateway or Exchange Delegation Federation i believe Microsoft Federation Gateway is correct.

  1. Add the TXT Record to the external DNS.

Get-FederatedDomainProof -DomainName contoso.com

Get-FederatedDomainProof -DomainName abc.contoso.com

  1. Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate

Should identity be Microsoft Federation Gateway or Exchange Delegation Federation i believe Microsoft Federation Gateway is correct.

Please let me know if i am missing any steps.

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments
Answer accepted by question author
  1. Hin-V 13,070 Reputation points Microsoft External Staff Moderator
    2026-03-03T13:53:11.17+00:00

    Hi @Glenn Maxwell

    Thank you for posting your question in the Microsoft Q&A forum.  

    I understand that you are considering renewing the federation certificate in your tenant. 

    Regarding your concerns: 

    For creating a new federation certificate: 

    The federation certificate does not depend on individual domains (such as contoso.com or abc.contoso.com in your example). It is only used to establish the trust between your Exchange on‑premises environment and the Microsoft Federation Gateway. The actual SMTP domains are represented separately under the Federated Domains in the Federation Trust, and ownership of each domain is validated through TXT proof records, not through the certificate itself.

    This means you do not need to run the certificate creation command per domain, and a single certificate with -DomainName 'Federation' is sufficient. 

    For the Identity parameter used in Set‑FederationTrust in step 2 and step 4: 

    “Microsoft Federation Gateway” is the correct value to use. This is the name of the federation trust object and must be referenced whenever updating the trust or publishing the new federation certificate. In contrast, “Exchange Delegation Federation” is only the friendly name of the certificate and should not be used as the identity in these commands 

    Therefore, your Delegation Certificate renewal process aligns with Microsoft’s documented behavior and is correctly structured. 

    If you have any additional concerns, feel free to comment below. I would be more than happy to assist. 

    Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread. 

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-03T11:41:28.1733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The federation certificate used by Exchange (“Exchange Delegation Federation”) is a single self‑signed certificate that secures the trust with the Microsoft Federation Gateway. It is not tied to individual accepted domains such as contoso.com or abc.contoso.com. Those domains are represented in the federation trust and by the TXT proof records, not in the certificate itself.

    Based on the provided context, the following points can be confirmed:

    1. New federation certificate creation
      A single certificate with -DomainName 'Federation' is sufficient. There is no need to create separate certificates for contoso.com and abc.contoso.com. The certificate is for the federation trust, not for each federated domain.
    2. Updating the federation trust to use the new certificate
      The Set-FederationTrust cmdlet must target the federation trust object, whose identity is "Microsoft Federation Gateway". The certificate object is “Exchange Delegation Federation”, but the trust is with Microsoft Federation Gateway. Therefore, using: Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint <NewThumbprint> -RefreshMetaData is correct according to the federation procedures.
    3. TXT records for federated domains
      TXT records are per federated domain. Running: Get-FederatedDomainProof -DomainName contoso.com
      Get-FederatedDomainProof -DomainName abc.contoso.com and publishing/validating the TXT records for each domain is the correct approach when configuring or re‑proving those domains in the federation trust.
    4. Publishing the federation certificate
      The -PublishFederationCertificate operation is also performed against the federation trust object, so the identity again should be "Microsoft Federation Gateway": Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
    5. Additional considerations
      The context notes that issues can occur if the new certificate is missing from the certificate store when attempting to roll or publish it. Ensure the new self‑signed federation certificate is present and valid in the Exchange certificate store before running Set-FederationTrust -PublishFederationCertificate. If the certificate cannot be found by thumbprint, the federation trust update will fail with an error similar to “Federation certificate with the thumbprint … cannot be found.”

    Within the provided material, no additional mandatory steps beyond creating the new federation certificate, updating the federation trust to use it, and ensuring DNS proof records for each federated domain are present are described.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.