How to update expiring TLS certificates in an ODM AD Domain Rewrite project (4373295)

How to update expiring TLS certificates in an ODM AD Domain Rewrite project

Video explaining how to update the expiring TLS certificates when using On Demand Migration Active Directory (ODM AD) Domain Rewrite.

An ODM AD migration project that runs longer than a year for Domain Rewrite.

Certificate Requirements — Required for TLS

• One (1) SSL Certificate for each tenant
• Associated with any accepted domain in the tenant
• Cannot be a domain that is being moved if Domain Move is in scope
• Saved in PFX Format
• Contains private key (password)
• Contains common name and friendly name
• Valid for Server Authentication and Client authentication
• No SAN certificates with multiple domains
• No Wildcard certificates

Perform the following steps to apply the new certificate to Domain Rewrite.

1. Log into ODM AD Domain Rewrite project, then click on Settings and select the Rewrite Service tab.
2. From the dropdown list of domains, select the domain with the expiring certificate and click the Cert icon.
3. Browse to and choose the new .PFX file for the certificate and enter the password for it.

Note: To monitor its progress, click the hamburger button and select Certificates.

• The new certificate should move from Pending to an Active state.
• The old expiring certificate should then move from Expiring to an Inactive state.
• For the certificate to take effect on the domain, please ensure to check the Checkbox for the domain under Seettings > Rewrite Services

Important: starting October 2025, all major Certificate Authorities can no longer generate certificates, containing both EKUs, Server and Client Authentication, together. Quest has deployed a code change on Nov 12/13 (for different regions) that will allow using certificate with Server Authentication only for Domain Rewrite. Please note: that this requirement with both EKUs stems from Exchange Online requirements.