I have renewed our current Entrust certificate that was working fine with Exchange federation. I have the new certificate installed as the next certificate however I can not roll to it. The error thrown in EMC is "Exception has been thrown by the target of an invocation". Not a very helpfull error. Using the shell and running "Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate -verbose" gives some more detail. I'll post just the most relevent part. Thumbprint "42D16DBC60F074A7E25771FF60E3DB04A9C0268F" was rejected by Windows Live Domain Services. Detailed information: "InvalidManagementCertificate: Certificate not valid for this operation.". What is even more strange is that the certificate described in the error is the current certificate that has already been assigned for federation services. Any ideas?Tim

Hi, Where do you buy this new certificate? Is it also from Entrust? I have seen a same problem with DigiCert certificate and it is resolved by the steps that descried in the following article: Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. Gen Lin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFThttps://www.digicert.com/ssl-support/windows-cross-signed-chain.htm

Was there suppose to be a link to the article? Both the Current and Next certificate are Entrust. The Next certificate is just a renewal of the Current certificate.Tim