Replacing a Federation Trust Certificate When the Original Certificate is Missing

Friday, October 22, 2010
Exchange 2010 federation allows organizations to share calendar free/busy information (also known as calendar availability) and contact information with external recipients, vendors, partners, and customers.  This is accomplished by creating a trust with Microsoft's Federation Gateway.  This cloud-based service offered by Microsoft acts as the trust broker between your on-premises Exchange 2010 organization and other federated Exchange 2010 organizations.  For more information about Exchange federation, see Understanding Federation.

To configure federation you install an Exchange certificate, enable the certificate for Federation, and create a federation trust with Microsoft Federation Gateway.  Eventually you will need to replace this certificate, either for business reasons or when the certificate expires.  The usual way of doing this is to install a new Exchange certificate and configure it as the "Next Certificate" in the Manage Federation Certificate wizard, as shown below.

When you're ready to replace the current federation certificate you simply run the Manage Federation wizard, select the "Roll certificate to make the next certificate as the current certificate" check box, and complete the wizard.  What was the Next Certificate becomes the Current Certificate, and the Current Certificate becomes the Previous Certificate.

I ran into an interesting issue where the process above did not work.  The customer deleted the Current Certificate from the computer's local certificate store, rather than roll the Next Certificate into the current certificate's place.  This causes the Manage Federation wizard t break because it can't locate the Current Certificate.  I was also unable to use the Set-FederationTrust cmdlet in EMS - it would give the same error:
[PS] C:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
Federation certificate with the thumbprint "29FD8FFF241A4317ABAAF326226BC209F682C2F3" cannot be found.
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], FederationCertificateInvalidException
    + FullyQualifiedErrorId : 906B427C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust
To fix this, you'll need to do it using ADSIEdit.
  • Log into a computer with administrator rights and run ADSIEdit.msc
  • Connect to the Configuration naming context
  • Navigate to CN=Federation Trusts,CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
  • Right-click CN=Microsoft Federation Gateway in the work pane and select Properties
  • Edit the msExchFedOrgNextCertificate property (which contains the thumbprint of the Next Certificate) and copy the entire value.  Close the msExchFedOrgNextCertificate property.
  • Edit the msExchFedOrgPrivCertificate property (which contains the thumbprint of the Current Certificate, which was removed) and paste the value.  Click OK to set the value.
  • Wait for the change to replicate throughout your AD infrastructure.
  • From the Exchange Management Console, run the Manage Federation Wizard.  You will now notice that the Current Certificate and the Next Certificate are the same.
  • Check Roll certificate to make the next certificate as the current certificate and complete the wizard.
Don't forget to test your configuration with the Test-Federation cmdlet.


  1. my msExchFedOrgNextCertificate is empty.

  2. Mine was empty as well because I deployed a new Exch2010 server to replace the existing one.

    Go into EMC > Organisation Configuration > Federation Trust > Properties, you should be at the Manage Federation wizard.
    Click on Next Certificate > Edit > select the certificate > Next

    Follow through with the article. You will need to re-open ADSIEdit if you already had it open.

  3. I had the same problem as above, I am deploying a new Exch2010 server to replace the existing one.

    Go to EMC > Organisation Configuration > Federation Trust > Properties of the trust, you should be at the Manage Federation wizard
    Click on Next Certificate > Select the certificate > Next (You will get errors)

    Now re-open ADSIEdit and follow through the article.


Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.