Troubleshooting Exchange certificate Issues with Hybrid Configuration Wizard (HCW)

Hell Everyone,

sometimes when you try to setup you Exchange 2010/2013 to be in coexistence mode with office 365 – Exchange online, you faced an issue with Hybrid configuration wizard which cannot get your 3rd part exchange certificate even if it’s installed on the CAS servers.

Also, simply HCW will not give you the chance to browse and select the certificate, if HCW not get the certificate automatically then it seems you have a problem with your certificate.

Below snap shot from exchange 2013 HCW which show that the certificate is blank:


Let’s try to list some of these common issues and their solutions:

Case #1: You don’t have a public certificate for exchange.

Hybrid configuration Wizard will absolutely failed since the self signed certificate will not work with HCW, a public certificate is MUST.

Case #2: You have Multiple CAS/EDGE servers in your environment:

Here, first of all you must be sure that a 3rd party certificate (Public) is installed on all CAS/EDGE servers which will be included in the HCW, in other word if one of the CAS/EDGE servers included in the HCW don’t have a 3rd party certificate the HCW wizard will failed to get the certificate.

Case #3: you have a 3rd party certificate but the HCW still failed to get the certificate.

Try to run Get-ExchangeCertificate | fl using exchange power-shell, there is a property called RootCAType, this value should be Third party,  any other value will cause the HCW to fail. based on My experience some customers have a 3rd part certificate but the RootCAType have value = Registry and this cause the HCW to fail, so you must fix this issue.


Case #4: You have a 3rd party certificate, and the RootCAType is third party, but still HCW didn’t get the certificate:

You maybe need to be sure what is the services assigned to the certificate,the Internet Information Service (IIS) and the Simple Mail Transport Protocol (SMTP) services must be assigned to the digital certificate used for hybrid transport. If these services aren’t assigned, secure mail transport between the Exchange Online and the on-premises organizations will not function correctly.

For Exchange 2010, below is a snapshot ( maybe you assigned more services this is OKAY, but at least SMTP and IIS should be assigned):


For Exchange 2013, below is a snapshot ( maybe you assigned more services this is OKAY, but at least SMTP and IIS should be assigned):



For more info about how to assign services to the certificate, follow below links:

Exchange 2010:

Exchange 2013

Case #5: What if the certificate is expired !

Simply, you must renew the certificate to wok fine.

At the end, always run below command in all exchange servers using exchange power-shell in order to check that below value is exact the same to avoid any issue with HCW:

Get-ExchangeCertificate| format-list
  1. Verify the following parameter values are assigned to the certificate:
    • IsSelfSigned parameter   This parameter value should be False.
    • RootCAType parameter   This parameter value should be Third Party.
    • Services parameter   This parameter value should be IIS, SMTP.
    • NotAfter parameter   This parameter value is the certificate expiration date. The date listed here should not be expired.


Blogger …

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn

One Comment

  1. Hi Ahmad,

    If we use Exchange Edge for Hybrid Mail Flow, what is the requirement of the certificate on Edge server?
    (Third Party? Common Name? Subject Alternative Name?).
    And the certificate must be enabled on both Send/Receive Connector (Hybrid connectors) on the Edge Server?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.