Certificate Missing in the Exchange 2010 Hybrid Configuration Wizard

5

During a customer recent case, I experienced problems in the Hybrid Configuration Wizard (HCW) for Exchange 2010, when trying to configure a Hybrid setup with Exchange 2010 and Office 365.

When going through the Manage Hybrid Configuration Wizard in Exchange 2010, we experienced an error, almost at the end of the wizard, when trying to choose the certificate used for Hybrid “No valid certificate exists for the Hub Transport server(s)”:

image

This was a bit weird, since the Exchange server already has enabled a valid Exchange certificate for the Transport services (SMTP).

To list the certificate used, using Exchange Management Shell and the following command:

Get-ExchangeCertificate | fl

image

A first view everything seems ok.

Some has experienced similar issue, if you do a Google (or Bing) on it and some apparently solved this by re-importing the SSL certificate.

This was however not the case in my scenario.

The root cause seems to be in RootCAType, which in my scenario is set to Registry.

Make sure your Root CA certificates are correct and updated, if not get the most recent ones from your certificate provider (In my case GlobalSign).

When importing the Root certificates, make sure they are placed correct within the certificate store, which is:

  • Intermediate certificates to the Intermediate store (folder)
  • Root Certificates to the Third Party store (folder)
    The Solution

The last step, seems to be the root cause to my issue, when the Root CA certificate from GlobalSign was placed in Third Party store (folder), it changed the parameters for RootCAType, when listing certificates for Exchange using Exchange Management Shell and the following command:

Get-ExchangeCertificate | fl

image

Now the parameter of RootCAType has changed to ThirdParty and the certificate, which was already enabled in Exchange for Transport Services (SMTP), can now be viewed and used for the Hybrid Configuration Wizard.

image

Other references to similar issue:

About Author

Peter is an Exchange specialist with over 15+ years of experience with Exchange Server and certified Microsoft Certified Master (MCM) and Microsoft Certified Solutions Master (MCSM) on Exchange Server. He has been awarded the Microsoft MVP award, every year since 2007. He is active in the Microsoft community and User Group Leader for CoLabora (a danish UC & Cloud User Group). He works as an Cloud & Infrastructure Architect and Consulent, with primary focus on Exchange, Office 365, Azure and Skype for Business.

5 Comments

  1. Hi,

    We have a hybrid deployment setup with Exchange 2010 and Office 365 and it has been working fine. The certificate has come up for renewal on the exchange server and I have renewed the certificate and imported into the EMC. However when I re-run the hybrid configuration wizard it cannot see the new certificate.

    Do you have any idea what the issue maybe as I have restarted the server as well with no joy.

    • I have this same issue. We renewed the certificate and imported it but the HCW doesn’t see it. It’s configured as 3rd party. Were you able to figure out how to resolve?

  2. Dale Skinner on

    Bit late on reply but may help someone else

    From EMS you need find out what your thumbprint id is for the right cert

    Get-ExchangeCertificate

    then run the command:

    Set-HybridConfiguration -SecureMailCertificateThumbprint AC00F35CBA8359953F4126E0984B5CCAFA2F4F17

    Obviously replace the thumbprint above with your own

Leave A Reply

Copyright 2005-2015 - Peter Schmidt.