Almost every organization with an Exchange Server has an SSL certificate on that server for secure mail flow and client services. When the duration of the purchased certificate ends, the certificate needs to be renewed or a new one purchased. Sometimes clients change vendors, and the SSL certificates are replaced. Now let’s introduce Microsoft 365 into the mix. You want to sync your on-premises Exchange Server to the cloud, and when you have downloaded the Hybrid Configuration Wizard, it asks you to select an SSL certificate in the wizard.
Alternatively, suppose you have Exchange on-premises and hybrid running already and you need to update the SSL certificate on Exchange. In that case, you need to do so in the Hybrid Configuration Wizard as well. You won’t be able to remove the old SSL certificate from Exchange as it is tied to the Hybrid Configuration Wizard. Only once you rerun this setup will it allow you to remove the certificate from your on-premises Exchange Server.
Exchange and your new SSL certificate: Have no fear
I have had some admins fear the worst when doing this as they say everything will break and stuff will go wrong. Well, I have done many upgrades using the HCW for certificate renewals. The HCW keeps your settings and on the page with the SSL certificate, so all you do is choose the new one. It is that simple. Microsoft releases new versions of the HCW regularly, so be sure to keep this updated as well.
Let’s get started. This will apply to anyone doing the Hybrid Configuration Wizard for the first time or updating components in the wizard as they already have a Hybrid setup. If you installed HCW, open the shortcut on your desktop or download the HCW from Microsoft’s website.
When you run the HCW application, it will show a window as above before starting the wizard.
The top right-hand corner will display your company information. Click Next to continue.
In this window, it will detect the optimal Exchange Server to use. You can select the second radio button to specify a server from the drop-down list. (If you already have hybrid running, this may not apply to you.) You can then also select the Exchange Online organization. Once completed, click Next to continue.
In the window above, you will need to sign in to Microsoft 365 with an account. Click the Sign-in button, and this will bring up the Microsoft 365 login page. If the Exchange account is fine, you can leave it as is or click change to select an alternate account.
Once you have signed in, you will notice the Next button will be enabled. Click Next to continue.
Checking on-premises and Microsoft 365
HCW now does checks against both on-premises and Microsoft 365. If you encounter any errors, fix them, or if it shows as above, click Next to continue.
On the Hybrid features window, make your selection. In this example, we are using Full Hybrid Configuration. Then click Next.
In the Hybrid domains window, add in the domains that you want to be part of the HCW and enable autodiscover for that domain based on what you have set up in Exchange. Once complete, click Next to continue.
In the next window, you can select the Topology to use. We chose the classic one (will apply to the new HCW setup — if you have already done this, continue to the next step.)
Generally, I leave the defaults here to configure the secure mail flow (typical) option and then click Next. If you have an edge transport server, select that and click Next once everything has been configured.
If you are running this for the first time, you can select one or multiple servers in your environment to use. If you have this configured already, just click Next.
Same with the above send connector — select the Exchange Servers you want to use and then click Next. If already selected, just continue.
This is the important part. If you already have a Hybrid setup, your current SSL certificate will show in the list. and you can click the drop-down arrow to select the new one. If you are new to the Hybrid Configuration Wizard, select the SSL certificate you want the wizard to use from the drop-down list and then click Next.
The next steps will just be to confirm everything and then complete the setup. The setup takes about a minute or two to complete and should finish successfully. On your Exchange 2016/2019 Server, your connectors will be set up, and if you log in to Office 365, you will also see the connectors.
You may now proceed with the removal of the old SSL certificate, and Exchange should no longer give you an error once you remove it. Make sure that services are assigned to the new SSL certificate before you attempt the removal.
As you can see, the process is straightforward to update the Exchange SSL certificate or to run the Hybrid Configuration Wizard.
Featured image: Shutterstock