I have been seeing this warning every time I log into the Microsoft Online Portal for the past couple of weeks:
Naturally, I ignored it. I followed Joe’s advice and installed the Microsoft Office 365 Federation Metadata Update Automation Installation Tool to create a scheduled task that automatically notifies Office 365 that the self-signed token signing certificate has automatically renewed itself. With everything being automated, I figured the warning would automatically go away after 10 days. It did not.
The reason was timing. The self-signed token-signing certificate is good for a year. 20 days prior to expiration, the server will automatically renew the certificate. The new certificate is marked as primary and the old certificate stays around for 20 days to give you a chance to notify Office 365 of the certificate change. That is what the Update Automation task does for you. When the warning did not go away I contacted Microsoft to make sure I was not missing anything. There would be no excuse an outage affecting several thousand mail users when I have been warned about the issue for a month, so I opened a ticket to be safe.
Microsoft wants you to be safe and avoid a resume-generating event, so they make this 30-day warning a 45-day warning. This makes the warning and automatic renewal overlap by 5 days to make sure you have enough time to update Office 365 before the old certificate expires.
Expiration minus 45 days – Issue federation certificate expiration warning in the Portal
Expiration minus 20 days – automatically renew token-signing certificate
Expiration minus 19 days – scheduled task updates Office 365 with new token-signing certificate.
In my case this means the warning should go away in a week once the certificate renews and the task updates Office 365. If the warning has not gone away by then, it is possible that some passwords have expired and the scheduled task is not working. At least I have plenty of time to address any of those issues before the certificate expires.