Skip to main content

We like to check the Exchange Server certificates. Signing in and checking them in Exchange admin center, everything looks good. But when we run the Get-ExchangeCertificate cmdlet, it shows a blank output. Why is this happening? In this article, you will learn how to fix Get-ExchangeCertificate cmdlet shows blank output.

Get-ExchangeCertificate cmdlet shows empty output

Two Exchange Servers (EX01-2019/EX02-2019) are running in the organization. Let’s run the Get-ExchangeCertificate cmdlet on both Exchange Servers.

Get-ExchangeCertificate

The output on Exchange Server EX01-2019 and EX02-2019 shows an empty output.

Thumbprint                                Services   Subject
----------                                --------   -------

Why do we get this, and what is the solution for the blank output when running Get-ExchangeCertificate cmdlet?

Solution for Get-ExchangeCertificate shows blank output

The blank output appears because Serialized Payload signing is enabled, and the Exchange Auth certificate is missing or corrupt. If only the Exchange Auth certificate is missing or corrupt, and Serialized payload signing is not enabled, the Get-ExchangeCertificate cmdlet will show values in the output.

Note: Certificate signing of PowerShell serialization payload is now enabled by default since November 2023 Exchange Server Security Updates and higher.

To fix this issue, we have to install a new Exchange Auth certificate on the Exchange Server.

If you already have an Exchange Auth certificate and it shows a blank output when running Get-ExchangeCertificate, it means it’s corrupted.

Important: Did you just install the Exchange Auth certificate? It can take 24 hours before it’s valid. So you have to wait and check later.

1. Check Microsoft Exchange Server Auth certificate

It’s very important that the certificate configured as Auth certificate is valid (not expired) and available on all Exchange Servers (except Edge Transport role and Exchange Management Tools role) within the organization.

Download MonitorExchangeAuthCertificate.ps1 PowerShell script and place it in the folder C:\scripts.

Start Exchange Management Shell and run the below command to check the Exchange Auth certificate status.

Note: To run the script, you must be a member of the Organization Management role group. The script must be run from an elevated Exchange Management Shell (EMS) command prompt on an Exchange Server running the Mailbox role. The script cannot be run on an Exchange Management Tools-only machine.

C:\Scripts\.\MonitorExchangeAuthCertificate.ps1

The output shows that the Exchange Auth certificate needs to be replaced by a new one.

Monitor Exchange Auth Certificate script version 23.11.22.1714
The script was run without parameter therefore, only a check of the Auth Certificate configuration is performed and no change will be made

Current Auth Certificate thumbprint: 4010E939A05777DC08A4196830125B2AF2BDFBC1
Current Auth Certificate is valid for -1 day(s)
Exchange Hybrid was detected in this environment

The actively used Auth Certificate is missing on the following servers:
EX01-2019.exoip.local, EX02-2019.exoip.local

Test result: The Auth Certificate in use must be replaced by a new one.

Log file written to: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuthCertificateMonitoring\AuthCertificateMonitoringLog_20231201153933.txt

2. Renew Exchange Auth certificate

Run the below command to renew the Microsoft Exchange Auth certificate.

C:\scripts\.\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreHybridConfig $true -Confirm:$false

The output shows that the renewal action was successfully performed.

Monitor Exchange Auth Certificate script version 23.11.22.1714
Mode: Testing and replacing or importing the Auth Certificate (if required)
Renewal scenario: The Auth Certificate in use must be replaced by a new one.
WARNING: Waiting for service 'Microsoft Exchange Service Host (MSExchangeServiceHost)' to start...

The renewal action was successfully performed - the new Auth Certificate will become active on: 12/01/2023 15:43:41
Please ensure to run the Hybrid Configuration Wizard (HCW) as soon as the new Auth Certificate becomes active.

Log file written to: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuthCertificateMonitoring\AuthCertificateMonitoringLog_20231201154320.txt

Note: If you have an Exchange Hybrid configuration, you must rerun the Hybrid Configuration Wizard as soon as the new Auth certificate becomes active. Do that after you verify the Exchange Auth certificate in the next step.

3. Verify Exchange Auth certificate

Run the MonitorExchangeAuthCertificate.ps1 script to check the Exchange Auth certificate.

C:\Scripts\MonitorExchangeAuthCertificate.ps1

The output shows that the Auth certificate is valid.

Monitor Exchange Auth Certificate script version 23.11.22.1714
The script was run without parameter therefore, only a check of the Auth Certificate configuration is performed and no change will be made

Current Auth Certificate thumbprint: 6789B2FE30740132E2DDBF147023E7485F476526
Current Auth Certificate is valid for 1826 day(s)
Exchange Hybrid was detected in this environment

Test result: No renewal action is required

Log file written to: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuthCertificateMonitoring\AuthCertificateMonitoringLog_20231201155121.txt

4. Run Get-ExchangeCertificate cmdlet

Run the Get-ExchangeCertificate cmdlet and verify that the output appears with values instead of blank output.

Get-ExchangeCertificate

All the certificates appear in the output and look great.

Thumbprint                                Services   Subject
----------                                --------   -------
6789B2FE30740132E2DDBF147023E7485F476526  ....S..    CN=Microsoft Exchange Server Auth Certificate
804F01FADE7DF2AA309277F6BD0F96CF4B3C9B62  IP.WS..    CN=EX02-2019
6BC65424EC1FA8803CDE86F6286518FDB639BFB6  .......    CN=CLIUSR
7EB920C8E05D8DBD0E1CF0C06A584C879F674E60  .......    CN=WMSvc-SHA2-EX02-2019
0014716C6390CFFBA0794248EE248D40129D7020  .......    CN=CLIUSR

5. Rerun Hybrid Configuration Wizard

If you have an Exchange Hybrid environment, you need to rerun the Hybrid Configuration Wizard.

6. Check Exchange Server certificate status

Run the Exchange Health Checker script and verify the certificate status.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

This is how it immediately looks after you install the new Exchange Auth certificate. All the certificate statuses appear as Unknown.

How to fix Get-ExchangeCertificate shows blank output before

Give it a maximum of 24 hours and run the health checker script again. All the certificate statuses appear as Valid.

How to fix Get-ExchangeCertificate shows blank output after

That’s it!

Leave a Reply