Medhacloud Logo

Medha Cloud
Medha Cloud Exchange Server Team
Exchange Database Recovery Team8 min read

OAuth certificate expiration in Exchange Server can disrupt authentication for OWA, hybrid mail flow, and cross-premises services. This guide shows you how to monitor certificate expiration, proactively renew before issues occur, and maintain seamless authentication.

Our Exchange Certificate Team provides proactive certificate management to prevent authentication outages.

Error Overview: OAuth Certificate Lifecycle

The OAuth authentication certificate is a self-signed certificate used by Exchange to sign authentication tokens. Unlike SSL certificates, it does not need to be trusted by external CAs—but it must be valid and properly configured.

OAuth Certificate Lifecycle
# OAuth Certificate Timeline:
# - Created during Exchange setup (5-year default validity)-year default validity)
# - Used by: OWA, EWS, Hybrid, Cross-premises requests
# - Can be renewed/rolled over without full replacement

# When approaching expiration:
# - 60 days: Plan renewal
# - 30 days: Create new certificate
# - 14 days: Configure as new auth certificate
# - 7 days: Publish and verify
# - 0 days: Old certificate expires (no impact if renewed)

Symptoms of Expiring/Expired OAuth Certificate

Warning Signs (Before Expiration):

  • Get-AuthConfig shows certificate expiring within 90 days
  • Monitoring alerts on certificate expiration
  • No immediate user impact yet

After Expiration:

  • OWA authentication fails or loops
  • Hybrid mail flow stops
  • Free/busy lookups to Microsoft 365 fail
  • Event ID 1003 errors in Application log
Check OAuth Certificate Status
# Get current OAuth configuration
$authConfig = Get-AuthConfig
Write-Host "Service Name: $($authConfig.ServiceName)"
Write-Host "Current Thumbprint: $($authConfig.CurrentCertificateThumbprint)"

# Check certificate expiration
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint
Write-Host "Certificate Subject: $($cert.Subject)"
Write-Host "Expires: $($cert.NotAfter)"

# Calculate days until expiration
$daysLeft = ($cert.NotAfter - (Get-Date)).Days
if ($daysLeft -lt 0) {
    Write-Host "STATUS: EXPIRED $([Math]::Abs($daysLeft)) days ago!" -ForegroundColor Red
} elseif ($daysLeft -lt 30) {
    Write-Host "STATUS: CRITICAL - Expires in $daysLeft days!" -ForegroundColor Red
} elseif ($daysLeft -lt 90) {
    Write-Host "STATUS: WARNING - Expires in $daysLeft days" -ForegroundColor Yellow
} else {
    Write-Host "STATUS: OK - Expires in $daysLeft days" -ForegroundColor Green
}

Quick Diagnosis

Full OAuth Health Check
# Step 1: Check AuthConfig
Write-Host "=== Auth Configuration ===" -ForegroundColor Cyan
Get-AuthConfig | Format-List ServiceName, CurrentCertificateThumbprint, PreviousCertificateThumbprint

# Step 2: Check Certificate Details
Write-Host "=== Certificate Details ===" -ForegroundColor Cyan
$authConfig = Get-AuthConfig
Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint |
    Select-Object Subject, Thumbprint, NotBefore, NotAfter, Services | Format-List

# Step 3: Test OAuth
Write-Host "=== OAuth Test ===" -ForegroundColor Cyan
$testMailbox = (Get-Mailbox | Select-Object -First 1).PrimarySmtpAddress
Test-OAuthConnectivity -Service EWS -TargetUri "https://$env:COMPUTERNAME/ews/exchange.asmx" -Mailbox $testMailbox

Proactive Renewal (Before Expiration)

Renew OAuth Certificate
# Step 1: Create new OAuth certificate
$newCert = New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -Services SMTP -FriendlyName "Microsoft Exchange Server Auth Certificate (New)"

Write-Host "New certificate created: $($newCert.Thumbprint)"

# Step 2: Configure as the new auth certificate (effective immediately or specify date)
Set-AuthConfig -NewCertificateThumbprint $newCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)

# Step 3: Publish the new certificate
Set-AuthConfig -PublishCertificate

# Step 4: Verify configuration
Get-AuthConfig | Format-List CurrentCertificateThumbprint, PreviousCertificateThumbprint

# Step 5: Clear previous certificate after verification (optional, after testing)
# Set-AuthConfig -ClearPreviousCertificate-ClearPreviousCertificate

# Restart IIS to apply
iisreset /noforce

Detailed Solutions

Solution 1: Standard Renewal Process

Complete Renewal with Verification
# Full renewal process with verification steps

# Step 1: Document current state
Write-Host "=== Current State ===" -ForegroundColor Cyan
$oldConfig = Get-AuthConfig
$oldCert = Get-ExchangeCertificate -Thumbprint $oldConfig.CurrentCertificateThumbprint
Write-Host "Old certificate expires: $($oldCert.NotAfter)"

# Step 2: Create new certificate
$newCert = New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -Services SMTP -FriendlyName "Exchange Auth Cert $(Get-Date -Format 'yyyy-MM-dd')"-Format 'yyyy-MM-dd')"
Write-Host "New certificate: $($newCert.Thumbprint)"
Write-Host "New certificate expires: $($newCert.NotAfter)"

# Step 3: Stage the new certificate
Set-AuthConfig -NewCertificateThumbprint $newCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)
Write-Host "New certificate staged"

# Step 4: Test before publishing
Write-Host "Testing OAuth before publishing..."
$testMailbox = (Get-Mailbox | Select-Object -First 1).PrimarySmtpAddress
$test = Test-OAuthConnectivity -Service EWS -TargetUri "https://$env:COMPUTERNAME/ews/exchange.asmx" -Mailbox $testMailbox
Write-Host "OAuth test result: $($test.ResultType)"

# Step 5: Publish if test passes
if ($test.ResultType -eq "Success") {
    Set-AuthConfig -PublishCertificate
    Write-Host "New certificate published successfully!" -ForegroundColor Green
} else {
    Write-Host "OAuth test failed - investigate before publishing" -ForegroundColor Red
}

iisreset /noforce

Solution 2: Hybrid Environment Renewal

Renew in Hybrid Configuration
# For Exchange Hybrid with Microsoft 365

# Step 1: Create and configure new certificate (same as above)
$newCert = New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -Services SMTP
Set-AuthConfig -NewCertificateThumbprint $newCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate

# Step 2: Export public key for Microsoft 365365
Export-ExchangeCertificate -Thumbprint $newCert.Thumbprint -FileName "C:\Temp\OAuthPublicKey.cer" -BinaryEncoded
Write-Host "Public key exported to C:\Temp\OAuthPublicKey.cer"

# Step 3: Re-run Hybrid Configuration Wizard-run Hybrid Configuration Wizard
Write-Host "IMPORTANT: Run the Hybrid Configuration Wizard (HCW) to update Microsoft 365"
Write-Host "Download from: https://aka.ms/HybridWizard"

# Step 4: After HCW completes, test hybrid OAuth
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox admin@domain.com

Solution 3: Multi-Server Deployment

Replicate to All Exchange Servers
# Replicate OAuth certificate to all Exchange servers

# Step 1: Export certificate with private key
$authConfig = Get-AuthConfig
$thumbprint = $authConfig.CurrentCertificateThumbprint
$password = Read-Host "Enter export password" -AsSecureString
Export-ExchangeCertificate -Thumbprint $thumbprint -FileName "C:\Temp\OAuthCert.pfx" -Password $password -BinaryEncoded

# Step 2: Copy and import on each server
$servers = Get-ExchangeServer | Where-Object { $_.ServerRole -match "Mailbox" }
foreach ($server in $servers) {
    Write-Host "Processing $($server.Name)..."
    # Copy file to remote server and run Import-ExchangeCertificate
    # Or use remoting to import
}

# Verify all servers have the certificate
foreach ($server in $servers) {
    $remoteCert = Invoke-Command -ComputerName $server.Name -ScriptBlock {
        Add-PSSnapin *Exchange* -ErrorAction SilentlyContinue
        Get-ExchangeCertificate -Thumbprint $args[0]
    } -ArgumentList $thumbprint

    if ($remoteCert) {
        Write-Host "$($server.Name): Certificate found" -ForegroundColor Green
    } else {
        Write-Host "$($server.Name): Certificate MISSING" -ForegroundColor Red
    }
}

Verify the Fix

Complete Verification
# Verify OAuth certificate renewal

Write-Host "=== AuthConfig Verification ===" -ForegroundColor Cyan
$config = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $config.CurrentCertificateThumbprint
Write-Host "Certificate: $($cert.Subject)"
Write-Host "Thumbprint: $($cert.Thumbprint)"
Write-Host "Expires: $($cert.NotAfter)"
Write-Host "Days remaining: $(($cert.NotAfter - (Get-Date)).Days)"Get-Date)).Days)"

Write-Host ""
Write-Host "=== OAuth Connectivity Test ===" -ForegroundColor Cyan
$testMailbox = (Get-Mailbox | Select-Object -First 1).PrimarySmtpAddress
$test = Test-OAuthConnectivity -Service EWS -TargetUri "https://$env:COMPUTERNAME/ews/exchange.asmx" -Mailbox $testMailbox
Write-Host "Result: $($test.ResultType)"

Write-Host ""
Write-Host "=== Service Status ===" -ForegroundColor Cyan
Get-Service MSExchangeServiceHost | Select-Object Name, Status

Prevention Tips

Proactive Monitoring

  • Monitor OAuth certificate expiration (90-day warning)
  • Schedule renewal 30 days before expiration
  • Document renewal procedure in runbooks
  • Test OAuth connectivity after any certificate changes
Monitoring Script
# OAuth certificate monitoring - add to scheduled task
$threshold = 90  # Alert days before expiration

$authConfig = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint -ErrorAction SilentlyContinue

if (-not $cert) {
    Write-Host "CRITICAL: OAuth certificate not found!" -ForegroundColor Red
} else {
    $daysLeft = ($cert.NotAfter - (Get-Date)).Days
    if ($daysLeft -lt $threshold) {
        Write-Host "WARNING: OAuth certificate expires in $daysLeft days" -ForegroundColor Yellow
        # Send-MailMessage alert here
    } else {
        Write-Host "OK: OAuth certificate expires in $daysLeft days" -ForegroundColor Green
    }
}

When to Escalate

Contact Exchange specialists if:

  • Certificate renewal fails with errors
  • Hybrid Configuration Wizard fails after renewal
  • OAuth tests continue to fail after renewal
  • Multi-server certificate synchronization issues

Need Expert Help?

Our Exchange Certificate Team provides proactive certificate lifecycle management to prevent authentication outages.

Frequently Asked Questions

The default OAuth certificate created during Exchange setup has a 5-year validity period. Check expiration with Get-AuthConfig and Get-ExchangeCertificate using the thumbprint from CurrentCertificateThumbprint.

Related Exchange Server Errors

Event ID 1003

Event ID 1003: OAuth Certificate Expired - Fix Guide 2025

OAuth certificate expiration preventing OWA authentication. Renew certificate, restore web access.

Read Fix Guide
OAuth Certificate Missing

OAuth Certificate Missing in Exchange - Fix Guide 2025

OAuth authentication certificate not found. Install certificate, configure authentication, restore OWA access.

Read Fix Guide
Event ID 12025

Event ID 12025: Certificate Expired - Fix Guide 2025

SSL/TLS certificate expiration disrupting Exchange services. Renew certificate, update bindings, restore security.

Read Fix Guide
View All Exchange Services

Still Stuck? We Can Help

Our Exchange Server experts have resolved thousands of issues just like yours.

  • Remote troubleshooting in 95 minutes average
  • No upfront commitment or diagnosis fees
  • Fix-it-right guarantee with documentation
Get Expert Help
95 min
Average Response Time
24/7/365 Availability
Medha Cloud

Medha Cloud Exchange Server Team

Microsoft Exchange Specialists

Our Exchange Server specialists have 15+ years of combined experience managing enterprise email environments. We provide 24/7 support, emergency troubleshooting, and ongoing administration for businesses worldwide.

15+ Years ExperienceMicrosoft Certified99.7% Success Rate24/7 Support
Contact TeamFollow on LinkedIn