Recently, I encountered an interesting scenario in which an "Exchange Delegation Federation" certificate on one of our Exchange servers appeared to be duplicated.
Get-ExchangeCertificate | select-object Thumbprint,SerialNumber,Services,Subject | where { $_.Subject -eq "CN=Federation" }
Thumbprint SerialNumber Services Subject
---------- ------------ -------- -------
1ABC4623DE565ABBAECE1ABC4623DE565ABBAECE A156734AB54685EF673EFAABFE7864 SMTP, Federation CN=Federation
43FABC56DE565ABBAECE1ABC4623DE565BCA42A1 F2BCFA4AB54685EF673EFAABBABA21 SMTP CN=Federation
This certificate is necessary for the hybrid environment and the redundancy raised concerns about unnecessary overhead and potential complications in certificate management. To address this issue, I decided to investigate further and take appropriate action.
First, I carefully examined the certificate details and its associated services using the Get-ExchangeCertificate
cmdlet. This revealed that the certificate assigned to both federation and SMTP services was effectively serving all necessary functions. Conversely, the second certificate, assigned only to SMTP, seemed redundant (no send or receive connectors were using this certificate).
So i decided to remove it (previously exporting it as 'backup'):
Remove-ExchangeCertificate 43FABC56DE565ABBAECE1ABC4623DE565BCA42A1
Get-ExchangeCertificate | select-object Thumbprint,SerialNumber,Services,Subject | where { $_.Subject -eq "CN=Federation" }
Thumbprint SerialNumber Services Subject
---------- ------------ -------- -------
1ABC4623DE565ABBAECE1ABC4623DE565ABBAECE A156734AB54685EF673EFAABFE7864 SMTP, Federation CN=Federation
Fortunately, the removal process went smoothly without any adverse effects on Exchange functionality. With the redundant certificate removed potential points of failure are reduced and streamlined certificate maintenance tasks.