My Exchange Federation Certificate is expiring soon, is there any way I can renew this with Let’s Encrypt
I set up renewal of my HTTPS, SMTP, IMAP, and POP certificates OK with win-acme, but I’m unsure how to do this for Microsoft Exchange Federation Certificates.
There the basic idea is that if you are the administrator of both sides of the connection, you won’t need a third party to create your certificate because you can tell both sides that your own certificate is correct.
I don’t think these certificates are actually different but it isn’t necessary to have a CA-issued certificate for this purpose and Microsoft discourages their customers from insisting on a CA-issued certificate here.
The EKU 1.3.6.1.5.5.7.3.2 must be present in the certificate, (that’s the PKIX “Client Authentication” EKU) but this purpose doesn’t even care about the names, so any existing Let’s Encrypt certificate would technically be suitable as they always include this EKU.
To me the reason to use self-signed here is that it seems simpler and more likely to be understood by personnel who’ve worked with Exchange Federation before, a Let’s Encrypt certificate should by my reading actually work, but you’d have more trouble following instructions or onboarding new staff to an IT team doing it that way and it seems to offer no benefits whatsoever.