You run the Hybrid Configuration Wizard to set up a hybrid deployment of on-premises Microsoft Exchange Server and Exchange Online in Office 365. However, when you get to the last page of the wizard, you discover that a certificate is missing.
This issue occurs if the root certification authority (CA) wasn't imported successfully. Therefore, it isn't verified as a public, third-party root CA, and the Exchange certificate wasn't configured correctly for an Exchange 2010 hybrid deployment.
To resolve this issue, check the value of the RootCAType property. To do this, use the Exchange Management Shell on the hybrid server to run the following command:
Get-ExchangeCertificate | FL
The RootCAType property identifies the kind of CA that issued the certificate. It should return a value of ThirdParty.
If it instead returns a value of either Registry or None, reimport the certificate on the hybrid server, and then configure the certificate for an Exchange hybrid deployment. For more information about how to do this, go to the following Microsoft website:
The RootCAType property can have any of the following values:
Registry: An internal, private PKI root CA that has been manually installed in the certificate store
ThirdParty: A public, third-party root CA
If the property's value is Registry, the certificate is not listed when you run the Hybrid Configuration Wizard.
In the case of a private CA, the Hybrid Configuration Wizard can’t be completed successfully. Self-signed certificates can’t be used for Exchange services in a hybrid deployment. You have to install and assign Exchange services to a valid digital certificate that is purchased from a trusted CA.