Merge pull request #2515 from microsoft/lusassl-06032026-1

dpaulson45 · web-flow · commit e25774bc59ba · 2026-03-06T09:58:27.000-06:00
Improve certificate renewal workflow in deserialization failure scenario
diff --git a/Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1 b/Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1
@@ -209,11 +209,14 @@ function New-ExchangeAuthCertificate {
                         } else {
                             Write-Verbose "Creating a default self-signed certificate with a lifetime of 5 years"
                             $certObject = New-ExchangeCertificate @newAuthCertificateParams
+
                             $newAuthCertificate = [PSCustomObject]@{
                                 Thumbprint = $certObject.Thumbprint
                                 Subject    = $certObject.Subject
+                                RawData    = $certObject.RawData # We need to include RawData in case the deserialization of the cert object fails
                             }
                         }
+                        Write-Verbose "Certificate with thumbprint: $($newAuthCertificate.Thumbprint) was generated"
                         Start-Sleep -Seconds 5
                     } else {
                         $newAuthCertificateParams.GetEnumerator() | ForEach-Object {
@@ -240,7 +243,7 @@ function New-ExchangeAuthCertificate {
 
                 if ($null -ne $newAuthCertificate) {
                     $operationSuccessful = $true
-                    if ($null -ne $newAuthCertificate.Thumbprint) {
+                    if (-not([System.String]::IsNullOrWhiteSpace($newAuthCertificate.Thumbprint))) {
                         Write-Verbose ("Certificate object successfully deserialized")
                         [string]$newAuthCertificateThumbprint = $newAuthCertificate.Thumbprint
                     } else {
diff --git a/Shared/CertificateFunctions/Import-ExchangeCertificateFromRawData.ps1 b/Shared/CertificateFunctions/Import-ExchangeCertificateFromRawData.ps1
@@ -22,6 +22,11 @@ function Import-ExchangeCertificateFromRawData {
             Write-Verbose ("Going to process '$($ExchangeCertificates.Count )' Exchange certificates")
 
             foreach ($c in $ExchangeCertificates) {
+                if ($null -eq $c.RawData) {
+                    Write-Verbose "Skipping certificate because RawData is null"
+                    continue
+                }
+
                 # Initialize X509Certificate2 class
                 $certObject = New-Object 'System.Security.Cryptography.X509Certificates.X509Certificate2'
                 # Use the Import() method to import byte[] RawData
