Renew Microsoft Exchange Federation Certificates

ttblum · August 17, 2020, 6:03pm

Hello,

My Exchange Federation Certificate is expiring soon, is there any way I can renew this with Let’s Encrypt

I set up renewal of my HTTPS, SMTP, IMAP, and POP certificates OK with win-acme, but I’m unsure how to do this for Microsoft Exchange Federation Certificates.

schoen · August 18, 2020, 1:34am

Hi @ttblum,

It looks like this certificate is a different kind of certificate from the one that Let’s Encrypt issues.

According to

https://docs.microsoft.com/en-us/exchange/trusted-root-certification-authorities-for-federation-trusts-exchange-2013-help

there are some publicly-trusted CAs that can issue these certificates, but Let’s Encrypt is not one of them.

It seems that Microsoft recommends that you use self-signed certificates instead:

https://docs.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help

There the basic idea is that if you are the administrator of both sides of the connection, you won’t need a third party to create your certificate because you can tell both sides that your own certificate is correct.

webprofusion · August 18, 2020, 1:34am

Hi Todd, you’ll have seen my response to the support email you sent to certifytheweb.com but it looks to me like the federation certificates are self signed: https://docs.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help

tialaramex · August 18, 2020, 9:32am

I don’t think these certificates are actually different but it isn’t necessary to have a CA-issued certificate for this purpose and Microsoft discourages their customers from insisting on a CA-issued certificate here.

The EKU 1.3.6.1.5.5.7.3.2 must be present in the certificate, (that’s the PKIX “Client Authentication” EKU) but this purpose doesn’t even care about the names, so any existing Let’s Encrypt certificate would technically be suitable as they always include this EKU.

To me the reason to use self-signed here is that it seems simpler and more likely to be understood by personnel who’ve worked with Exchange Federation before, a Let’s Encrypt certificate should by my reading actually work, but you’d have more trouble following instructions or onboarding new staff to an IT team doing it that way and it seems to offer no benefits whatsoever.

system · September 17, 2020, 9:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.