To configure federation you install an Exchange certificate, enable the certificate for Federation, and create a federation trust with Microsoft Federation Gateway. Eventually you will need to replace this certificate, either for business reasons or when the certificate expires. The usual way of doing this is to install a new Exchange certificate and configure it as the “Next Certificate” in the Manage Federation Certificate wizard, as shown below.
When you’re ready to replace the current federation certificate you simply run the Manage Federation wizard, select the “Roll certificate to make the next certificate as the current certificate” check box, and complete the wizard. What was the Next Certificate becomes the Current Certificate, and the Current Certificate becomes the Previous Certificate.
I ran into an interesting issue where the process above did not work. The customer deleted the Current Certificate from the computer’s local certificate store, rather than roll the Next Certificate into the current certificate’s place. This causes the Manage Federation wizard t break because it can’t locate the Current Certificate. I was also unable to use the Set-FederationTrust cmdlet in EMS – it would give the same error:
[PS] C:\>Set-FederationTrust -Identity “Microsoft Federation Gateway” -PublishFederationCertificateTo fix this, you’ll need to do it using ADSIEdit.
Federation certificate with the thumbprint “29FD8FFF241A4317ABAAF326226BC209F682C2F3″ cannot be found. + CategoryInfo : InvalidResult: (:) [Set-FederationTrust], FederationCertificateInvalidException
+ FullyQualifiedErrorId : 906B427C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust
- Log into a computer with administrator rights and run ADSIEdit.msc
- Connect to the Configuration naming context
- Navigate to CN=Federation Trusts,CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
- Right-click CN=Microsoft Federation Gateway in the work pane and select Properties
- Edit the msExchFedOrgNextCertificate property (which contains the thumbprint of the Next Certificate) and copy the entire value. Close the msExchFedOrgNextCertificate property.
- Edit the msExchFedOrgPrivCertificate property (which contains the thumbprint of the Current Certificate, which was removed) and paste the value. Click OK to set the value.
- Wait for the change to replicate throughout your AD infrastructure.
- From the Exchange Management Console, run the Manage Federation Wizard. You will now notice that the Current Certificate and the Next Certificate are the same.
- Check Roll certificate to make the next certificate as the current certificate and complete the wizard.