Urgent Help Needed Please!!!

I installed a cert today on my Exchange 2013 Machine this then lost me the ability to login via ecp or owa, I used to get a login screen but now I just get page cannot be displayed

please can anyone help
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you run an iisreset on the server since you made the update ?
Also you might want to verify your certificate is in good working order.

If the iisreset does not work we might want to look at your cert or just get it reissued, reapply to Exchange, reset IIS and try again.
pepps11976Author Commented:
Ok I have managed to get the admin console etc back by using the default cert in PS.

I purchased a wild card cert from godaddy the server name is Exchange and the domain is called name.domain-uk.com

this only happened when I assigned services to the cert.

Go daddy issue two files when I purchased one was a crt and one was a .p7b can somebody please help me to get the cert installed I am not sure what one to use or if I am doing something wrong

Please help
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

okie so how did you create the certificate request ?

You will need to complete the pending request, so the matching keypair will be registered on the computer.

One easy way is to do this from the computer the CSR was generated on:
Install the .crt and .p7b from Godaddy   (the p7b probably contains the CA certs)

then open the .crt file look for the serial number portion then open an elevated command prompt and run:
certutil -repairstore  My <serialnumber from above>

Then simply go back to IIS and replace the certificate in IIS with the new one and then iisreset and you are done.
pepps11976Author Commented:
i had already completed the pending request so i am guessing i will have to get the cert re issued from Go Daddy

is there any chance you could show me step by step including installing the .p7b as i did this but must have done it wrong because i buggered the whole thing up :)
Can you verify in the mmc, if the certificate says its private key is installed.
winkey + r
add remove snap-in
Local computer
expand certificates -
look for the ceritificate in the right pane that matches the certificate from Go-Daddy
Double click to open this certificate and see if it says "you have a private key for this certificate installed"

Let me know before you reissue.

The p7b is just for installing the intermediate certs etc.
Adam FarageSr. Enterprise ArchitectCommented:
if you are doing a reissue of the certificate, and the private key exists (which it didn't before) I would recommend following the EAC steps for the fulfillment. This should not be imported into the Certificate MMC as that is going to cause issues.
Adam what are the issues that it will cause ?

Help me to understand...
Are you saying that the two keypairs will somehow not know which key they are matched to ?

If you had said once he validates the certificate has the private key present he needs to ensure that certificate is correctly bound to the right services in the EAC I can understand that, but to provide bad information indicating that importing a certificate into a certificate store will somehow cause a problem is in no way correct.
pepps11976Author Commented:
This is what i have i am very confused

In EAC under servers certifictaes, i have the certificate that i have installed the services activated on it are smtp and iis

yet the other Certs that come preinstalled with exchnage also have these services enabled.

i looked in the MMC for go daddy and there were a few in there so not sure what i was really looking for.

if i try to broswe to https://server.domain-uk.net/owa i still get cert issue and Outlook users internally still cannot connect
Ok so I am guessing I should have said specifically to look for the certificate that matches the name of the one you just got from go-daddy as well as the expiration date.

This is just so we do not do a reissue if we do not need to.

winkey + r
add remove snap-in
Local computer
expand certificates -
look for the ceritificate in the right pane that matches the certificate from Go-Daddy (site.domain.com - with expiration date and thumbprint matching the newly issued crt file
(How do you find the thumbprint ?
Double click the .crt file from go-daddy - click on details and scroll down to thumbprint)

Double click to open this certificate (the one that matches the .crt file)  and see if it says "you have a private key for this certificate installed"
Once we are sure you have the private key you can either simply update the certificate in IIS by doing a replace and then an iisreset /noforce

Or update the EAC.
pepps11976Author Commented:
ok i found in
Certificates - local Computer - personal - Certificates

i have two there for some reason one has a key and if i look at the thumbprint it matches the one displayed in PS get-exchangecertificate
Which one is the one that matches the .crt ?

Does the one that matches the thumbprint from the .crt have the private key ?
pepps11976Author Commented:
yes it does
pepps11976Author Commented:
also if you could confirm something for me my domain is called


i bought a wild card *.tech-uk.com should i have purchased a wild card for *.tech.tech-uk.com

or is what i bought ok?
Great so your request was properly processed.

If you say the cert is correctly bound in Exchange then you  can validate in IIS
If not you can simply run from an exchange cmdlet window

Enable-ExchangeCertificate -Thumbprint <thumbprint of the .crt certificate> -Services POP,IMAP,SMTP,IIS (or whichever services you need to bind)

You can then simply go to IIS just to verify the certificate is correct by clicking on the site then going to edit bindings and click on view certificate and ensure the thumbprint matches, if for any reason it does not you can simply replace the certificate here and bind the certificate with the correct thumbprint then run:
iisreset /noforce and you are done.
How is your domain structure set up ?

Do you have:


If you have
mail.tech.tech-uk.com then you need  *.tech.tech-uk.com

Wildcards are only for one level / domain
pepps11976Author Commented:
ok that may be half my problem then i have


and i only purchased for *.tech-uk.com
okie so you need a new certificate, that might be you only problem :)
pepps11976Author Commented:
ok so i have added a new cert i will need to wait until the morning to see if internal users are still getting certificate error

just out of intereset the public facing domain is domain-uk.com, but the internal domain as i said was name.domain-uk.com

if i want external users to access the /owa using say webmail.domain-uk.com, rather thank name.domain-uk.com

what is it i need to do is it some clever dns stuff?
pepps11976Author Commented:
im still confused users are getting certificate issues still!!

the internal users for some reason are accessing via the external Addresss which is not on the cert as stated above how can i get around this???
pepps11976Author Commented:
Ok i have an update, the reason internal users were being given cert error is because the Outlook Anywhere internal URL was pointing to mailserver.tech-uk.com, so i have change this to

exchange.tech.tech-uk.com and all is fine with that part as i bought a cert for that.

my last question is the external domain is tech-net.com, so how am i able to stop cert errors when browsing externally to mailserver.tech-uk.com?
Adam FarageSr. Enterprise ArchitectCommented:
In internal DNS setup a forward lookup zone called "tech-uk.com" and setup a DNS A record to point mailserver.tech-uk.com (or whatever) to the *internal* IP. So when folks who are using internal DNS lookup tech-uk.com it will see the internal address and redirect them to the internal server (in this case exchange)
pepps11976Author Commented:
Internal is fine it's external users not on the domain accessing webmail that is the issue
Change your external url to match your internal url and you will be fine.  Just run the set-client access cmdlet and configure the external to match the internal.  Hopefully the internal url is also available on the Internet ?
pepps11976Author Commented:
but if I already own tech-uk.com is it not jus a case of creating a subdomain on the actual name in hosted dns?
pepps11976Author Commented:
becraig I appreciate your help on this.

its just when we set up the domain it was said best practice not to use .local so instead we added name.domain-uk.com

this is now proving to be causing issues, whereas users only needed before to type mailserver.tech-uk.com this now needs to change.

is there no way around this?

also am I right in saying that internal users also need a cert for connecting via outlook, can they not use the preinstalled certs.

would it then be a case of me rekeying the cert I have back to tech-uk.com and adding that, or do I need the cert

tech.tech-uk.com to allow internal (Outlook) users to connect?
Adam FarageSr. Enterprise ArchitectCommented:
Your internal and external FQDN on the CAS services should match. this simplifies the namespace along with allows you to keep a single SSL certificate (UC Certificate). I would highly recommend updates the InternalURL to match the ExternalURL and then create a forward lookup zone for the external domain, with an A record pointing to the CAS or Load Balanced VIP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam's approach would be much easier in my mind since all you have to do is modify your dns records and acquire a new certificate matching the external domain name.

Once that is done and both internal and external urls match the name of the certificate (The current external domain name)

You certificate errors will go away.
pepps11976Author Commented:
Ok guys I got around this issue buy Purchasing a multiple SAN User Cert, and going through the wizard in exchange it pretty much added all that I needed.

Thanks all for your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.