Certificate renewal

Hi @Glenn Maxwell

Thank you for posting your question in the Q&A Forum. 

For Microsoft Exchange Server, the Microsoft Exchange Server Auth Certificate is used for internal OAuth authentication and does not require any domain names or SAN entries.

Regarding your specific questions:

1. New-ExchangeCertificate – DomainName parameter

For the Auth certificate, it is recommended to use:

-DomainName @()

Since this certificate is not used for client-facing services, DNS names are not required.

2. NewCertificateEffectiveDate

Using UTC time is generally recommended:

-NewCertificateEffectiveDate (Get-Date).ToUniversalTime()

This helps avoid potential timing or replication inconsistencies, particularly in multi-server environments.

Suggested sequence:

• Create the new certificate
• Run Set-AuthConfig -NewCertificateThumbprint
• Run Set-AuthConfig -PublishCertificate
• Verify the configuration using Get-AuthConfig
• After Active Directory replication has completed, run Set-AuthConfig -ClearPreviousCertificate

For official Microsoft documentation on Set‑AuthConfig and certificate configuration, you can refer to: https://learn.microsoft.com/powershell/module/exchangepowershell/set-authconfig

This page covers the parameters used during OAuth certificate rotation and provides the authoritative guidance for managing the Auth configuration in Exchange. There is no need to assign this certificate to IIS. Service restarts are typically not required.

If the environment includes multiple Exchange servers or hybrid configuration, it would be advisable to allow sufficient time for replication before clearing the previous certificate.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

The documented and recommended steps for renewing or replacing the Microsoft Exchange Server Auth Certificate in Exchange Server 2016/2019/SE are:

1. Create a new OAuth/Auth certificate (self-signed):

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Note the thumbprint of the new certificate from the command output.

2. Configure the new certificate in AuthConfig and set the effective date:

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date).ToUniversalTime()

3. Publish the new certificate and clear the previous one:

Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

4. Restart the Microsoft Exchange Service Host service, and recycle IIS/OWA/ECP:

Restart-Service MSExchangeServiceHost

# Or recycle the app pools instead of full IIS reset
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

Key differences from the planned steps:

• The documented command uses -DomainName @() (empty array) for the Auth certificate, not an SMTP domain such as "mydomain.com".
• -NewCertificateEffectiveDate should use (Get-Date).ToUniversalTime().
• The thumbprint value in Set-AuthConfig must be taken from the actual output of New-ExchangeCertificate, not hard-coded.

These steps match the recommended procedure for creating and deploying a new OAuth/Auth certificate when the existing Microsoft Exchange Server Auth Certificate is expiring or expired in Exchange Server SE.

References:

• Maintain the Exchange Server OAuth certificate
• Can't sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired