SSL Certificate Renewal Process for Exchange 2019 Hybrid Environment with Edge Servers

Question

Hello,

We are managing an Exchange Hybrid environment with the following on-premises setup:

• Two Exchange Mailbox Servers 2019
• Two Edge Servers 2019

Recently, we renewed our third-party SSL certificates, which include SANs for mail.xyz.com and autodiscover.xyz.com. I imported the renewed certificate on all four servers, but encountered these warnings:

1. Edge Servers need to be resubscribed after the SSL certificate renewal.
2. The same SSL certificate should not be used on both Hub Transport Servers and Edge Servers.

I’ve reviewed various Microsoft resources, but I'm still seeking clear guidance on the best practices and specific requirements for SSL certificate renewal in an Exchange 2019 environment, particularly when Edge Servers are involved.

Could anyone provide detailed advice or clarify the correct process for:

• Handling SSL certificates between Mailbox and Edge Servers
• Resubscribing Edge Servers following certificate renewal
• Best practices for SSL management in a hybrid setup

Any expert insights or pointers to relevant documentation would be highly valuable!

Thank you in advance for your support!

Answer 1

Hi, @JanakKhadka

Renewing your SSL certificate and ensuring that it's properly configured in your Exchange hybrid environment is a complex process indeed.

I try to give you some suggestions:

1.It is generally recommended to use separate SSL certificates for Mailbox servers and Edge servers. The main reason is enhanced security by isolating internal and external communication channels.

2.a. Certificate renewal on Mailbox servers: Import new SSL certificates on both Mailbox servers. Configure the service (IIS, SMTP, etc.) to use the new certificate. Verify certificate bindings and ensure that they match the expected service.

b. Certificate renewal on Edge Servers: Import new SSL certificates on both Edge Servers. Configure the Edge Transport service to use the new certificate. Verify that the certificate is correctly assigned to the SMTP service on the Edge Server.

3.If you renew or replace a certificate issued by a CA on an Edge Transport server that you have subscribed to, you will need to delete the old certificate and then delete and recreate the Edge subscription.

There are good guides that might help you  Edge Subscriptions | Microsoft Learn

Update Edge Server Certificate in a Hybrid Exchange Environment – IT Blog (ldlnet.net)

4.Best practices for SSL management in hybrid settings

a. Use a centralized certificate management system to keep track of all SSL certificates, their expiration dates, and renewal processes. This helps prevent certificates from expiring and ensures timely updates. Second, always get an SSL certificate from a trusted certificate authority (CA). Avoid using self-signed certificates in production environments, as they can cause trust issues and security warnings.

b. Regularly monitoring the health and status of your SSL certificate can reduce the risk of certificate expiration.

c. Ensure that the SSL certificate uses a strong encryption algorithm and key length. Avoid using deprecated protocols and passwords to maintain a high level of security. Keep all systems, including servers and network equipment, up to date with the latest security patches and updates. This helps prevent vulnerabilities that can be exploited.

Similar cases for your reference: Renew / Revalidate certificate on Edge server and Exchange 2016 server - Microsoft Q&A

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".