This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 85%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Hi,
we have renewd the federation certificate in our exchange hybrid organization, but, when i tried to remove the old certificate it always appears again and again.
Everything works fine but we still have the old certificate installed on servers and although i tried to remove it from EAC or powershell.......it always appears in 10-15 minutes again.
What am i doing wrong?
Thank you in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 43%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Hi,@Jaime Alonso
Thanks for posting your question in the Microsoft Q&A forum.
When you delete the old certificate, the old certificate reappears after ten minutes or so.
I have a couple of questions to confirm:
Here are my suggestions:
If your certificate has not expired, you just need to renew it.
Regarding renewing the certificate, you can refer to this URL: Renew the federation certificate: Exchange 2013 Help | Microsoft Learn
If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust.
This is also detailed in this link: Renew the federation certificate: Exchange 2013 Help | Microsoft Learn
If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.
Hi, thank you for such a quick response.
We renewed the federation certificate approximately one year ago, so we have two certificates: the current certificate and the previous certificate. What we want to do is remove the old one, but when we remove it, it reappears after a few minutes.
About the other question, yes, our organization is hybrid.
We don't need to renew the cert again, because it expires on 2026, we just need to remove the old one.
Hi,@Jaime Alonso
According to your description, the federated authentication certificate was deleted and then reappeared. There is a synchronization problem between the On-pre and cloud services.
Here are my suggestions:
Set-FederationTrust -Identity "YourFederationTrustIdentity" -RefreshMetadataInterval 0
If you are using Active Directory synchronization, ensure that your changes are correctly reflected in Active Directory and synchronized to other servers.
Remove-ExchangeCertificate -Thumbprint "Thumbprint of old certificate"
If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.
Hi , Thank you for your response. Do the steps suggested in the previous answer carry any risk? Our Onprem Org is Exchange 2013 I dont know if these steps are valid because the command "Set-FederationTrust -Identity "YourFederationTrustIdentity" -RefreshMetadataInterval 0 "is not valid.What does the command exacty do?
Could it have any affection on the service?
We did not remove the old certicate proof on txt dns value, could it be the reason of the issue?
And finally, do we have to set the value again on its previous value?
Thank you in advanced.
Hi,@Jaime Alonso
I will answer your questions in order:
1. The old certificate proof TXT DNS value was not removed:
Yes, this could be the reason for the issue. If the old certificate proof TXT DNS value is not removed, the system may fail to verify the new certificate, leading to authentication and communication problems. Ensuring the DNS records are up-to-date and match the currently used certificate is crucial.
2. The Set-FederationTrust -Identity "YourFederationTrustIdentity" -RefreshMetadataInterval 0 command:
This command is used to set the metadata refresh interval for Exchange federation trust. Setting the RefreshMetadataInterval parameter to 0 means disabling the automatic metadata refresh. "YourFederationTrustIdentity" This parameter should be filled with the old certificate.
3. Do we need to set the value back to its previous value:
Yes, it is recommended to restore the RefreshMetadataInterval value after resolving the issue to ensure regular metadata refresh. In general, the default value should be restored to maintain the normal operation of the system. If you are unsure of the default value, you can refer to the relevant documentation or use PowerShell commands to check the current settings.
Here are my suggestions:
I will continue to follow up if any problems arise later.
If the problem is solved, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.
We will try first point, altough there 2 records, one for the old cert and other for the new cert.
We will delete the record next week as I will not be available this week. As soon as we do it, I will update the post. Thank you for your help @Bruce Jing-MSFT
Hello, @Jaime Alonso
It's been a long time since I've heard from you, have you solved your problem yet? If the problem is not resolved, please message me.