HOWTO Renew the Certificate on Exchange 2007 Edge Transport Server using Powershell

I have a small Exchange Server 2007 deployment with one edge transport server and one client access server. The Edge Transport server certificate had expired and I needed to create another one.

We first get the existing certificate by using the powershell command:


which returns a list of current certificates. I had two certificates so I needed to use:

Get-ExchangeCertificate -thumbprint "your-thumbprint-here"

to get the correct one. After verifying that I had the latest certificate I piped this certificate into the New-ExchangeCertificate command via:

Get-ExchangeCertificate -thumbprint "your-thumbprint-here" | New-ExchangeCertificate

This created a new certificate with an expiry date of +5 years, but also included the warning:

WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this Edge Transport server is subscribed,  you must subscribe it again by using the New-EdgeSubscription cmdlet in the Exchange Management Shell, and then restart the Microsoft Exchange ADAM service.

So there is some more work to do. First you need to export the Edge Subscription data from the current server using the command:

New-EdgeSubscription -filename "your-edge-subscription.xml"

which exports the Edge Subscription information to the nominated file when run on your Edge Transport Server (the command is smart enough to know it needs to export the data and not import it). Then you copy this file to your Hub Transport server and run the same command, this site appending the Site name:

New-EdgeSubscription -filename "your-edge-subscription.xml" -site "your-site-name"

By default the site name is “Default-First-Site-Name” but you can check your sites that are configured to use the edge Transport server by opening up Exchange Management Console, Organization Configuration, Hub Transport and clicking the “Edge Subscriptions” tab. This will show the site same in the “Active Directory Site” column.

Everything seemed to be OK, but checking my Exchange Edge Transport Application event log showed the following error every five minutes:

The EdgeSync credential cn=ESRA.UNEX-EXCH-EDGE.UNEX-EXCH-02.0,CN=Services,CN=Configuration,CN={E0C281D5-5D17-4B14-A6F6-B88474F6C122} could not be decrypted by using the certificate with thumbprint 5DD5B1A15F7F4065559293DF77FDD72B3EFA8E8E. The exception is Bad Data.

. To resolve this problem, unsubscribe and resubscribe your Edge Transport server.

I checked the certificate, and sure enough there was an issue – the Root Authority for the certificate that was generated was not trusted. As the Root Authority was actually the certificate itself, I had to export the certificate and then import it into the Trusted Root Certificate Authorities in order to get it to accept the certificate. Opening the original certificate in Personal/Certificates showed the certificate to be valid.


One Response to “HOWTO Renew the Certificate on Exchange 2007 Edge Transport Server using Powershell”

  1. slim Says:

    perfect, all what I needed … Thank you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: