Exchange 2013 ECP , Certificates Tab Giving error

I have an Exchange 2013 Server installed on server 2012
Everything was working fine until few days ago i noticed  that i was not able to open the certificates tab from the ECP.
i did some updates over the time but don't know at what point the tab stopped working.
ErrorThe version on the exchange is Version 15.0 Build 847.32

I need to renew the certificate and that when i noticed the problem accessing the panel.

For the time: If possible can you provide me some info on how can i renew the certificate using powershell


Everything else works like a charm its only the certificates Tab, no problem with email flow or any other tab as a matter of fact.
Thanks
LVL 4
Costas GeorgiouNetwork AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you are trying to renew your 3rd party SSL cert then do it from IIS and create a new CSR for your Exchange server. Once you have your CSR, send it to the provider and they will send you back a cer/crt file.

Complete the import process and enable the certificate on the CAS server using Enable-ExchangeCertificate -thumbprint xxxxxxxxx -services "pop,imap,smtp,iis"

You will also need to export the cert with the private key and import it into any other CAS servers. Also running the Enable-ExchangeCertificate command above on each CAS server where you install the cert.

Generate CSR from IIS
https://www.digicert.com/csr-creation-microsoft-iis-7.htm

Will
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Costas GeorgiouNetwork AdministratorAuthor Commented:
thanks for the info mate:

The certificate is not a new one, its a renewal, so do you recommend to keep it simple just create a new one?
or ca a create a CSR for renewal from the IIS as well?
in case i create a renew request from IIS , does that mean i have to rekey the SSL on the digicert site?

So to summarize the option are as follows
1) If i create a new certificate request in IIS then use that request to rekey the certificate on Digicert.
Once that is done i will receive the new certificate and use that to complete the certificate request in IIS

and to finish it off use the Enable-ExchangeCertificate  command to assign the services to the certificate.

Is there anything that i am missing in this?
0
David Johnson, CD, MVPOwnerCommented:
it is in reality a new certificate as the not valid before and not valid after will have changed, therefor the thumbprint will be different
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Costas GeorgiouNetwork AdministratorAuthor Commented:
When i create a new certificate request within IIS it doesn't allow me to add any SAN's at all.

Sorry for the basic questions, i really lack experience with certificates.
0
HariomExchange ExpertsCommented:
Are you getting event ID 15021 HttpEvent in system event log if yes then please try following article

https://viralr.wordpress.com/2015/02/20/exchange-2013-blank-ecp-owa-screen-event-id-15021-httpevent-in-system-event-log/
0
Will SzymkowskiSenior Solution ArchitectCommented:
I will answer back in a few just on phone now.

Will.
0
Will SzymkowskiSenior Solution ArchitectCommented:
The certificate is not a new one, its a renewal, so do you recommend to keep it simple just create a new one?
The Renew option in Exchange is for the self-signed certificate which is not what your trying to renew. You need to generate a new CSR and send that to Godaddy or whatever 3rd party you will be using.

When i create a new certificate request within IIS it doesn't allow me to add any SAN's at all.
You do not add the SAN names during the CSR process. You do this on the DigiCert Site or have one of their representatives add the SAN names that you require. The more SAN names you have on the cert the higher the cost.

Once you have the cert you will need to run the commands that i have outlined in my first post.

Will.
0
Hello WorldCommented:
Hi,

Please run below command to get expired time of certificate:
Get-ExchangeCertificate | FL Identity,*Thum*,*Not*

Then run below command to renew certificate:
Get-ExchangeCertificate “Thumbprint” | New-ExchangeCertificate
More details about it, please refer to:
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
0
Costas GeorgiouNetwork AdministratorAuthor Commented:
Thanks for the info guys, i will try the solutions and shall get back to you soon with an update
Thanks
0
Costas GeorgiouNetwork AdministratorAuthor Commented:
Thanks for all the info guys
I was just over thinking and making it complicated.
Thanks to you i have a better understanding of the process now.

One issue resolved However i think our original question got lost in the process.

Coming to the ECP not working
i can see error logs when the error comes on the certificates tab as below.
Event ID: 5 Source: MSExchange control panel

Current user: 'mydomain.local/Users/Administrator'
Web service call 'https://ip-server.domain.local:444/ecp/DDI/DDIService.svc/GetList?schema=CertificateServices&msExchEcpCanary=WG5byqjmq0mF-0Hs84dO3UZZyY1IOtII3-uUcSx1LBM-i3By__XizbfyDPHBVXY5pk7mY6CERH4.(https://owa.domainname.net.au/ecp/DDI/DDIService.svc/GetList?schema=CertificateServices&msExchEcpCanary=WG5byqjmq0mF-0Hs84dO3UZZyY1IOtII3-uUcSx1LBM-i3By__XizbfyDPHBVXY5pk7mY6CERH4.)' failed with the following error:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentOutOfRangeException: The added or subtracted value results in an un-representable DateTime.
Parameter name: value
   at System.DateTime.AddTicks(Int64 value)
   at System.DateTime.Add(TimeSpan value)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneRuleGroup.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.FindLeastBiasForLocalTime(DateTime dateTime, TimeSpan& bestBias)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime..ctor(ExTimeZone desiredTimeZone, DateTime dateTime)
   at Microsoft.Exchange.Management.DDIService.CertificateHelper.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Exchange.Management.DDIService.Activity.DoPostRun(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind)
   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)
   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)
   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()
   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)
   at SyncInvokeGetList(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Exchange.Management.DDIService.Activity.DoPostRun(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind)
   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)
   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)
   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()
   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)
   at SyncInvokeGetList(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

System.ArgumentOutOfRangeException: The added or subtracted value results in an un-representable DateTime.
Parameter name: value
   at System.DateTime.AddTicks(Int64 value)
   at System.DateTime.Add(TimeSpan value)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneRuleGroup.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.FindLeastBiasForLocalTime(DateTime dateTime, TimeSpan& bestBias)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime..ctor(ExTimeZone desiredTimeZone, DateTime dateTime)
   at Microsoft.Exchange.Management.DDIService.CertificateHelper.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)
   at System.DateTime.AddTicks(Int64 value)
   at System.DateTime.Add(TimeSpan value)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneRuleGroup.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.FindLeastBiasForLocalTime(DateTime dateTime, TimeSpan& bestBias)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime..ctor(ExTimeZone desiredTimeZone, DateTime dateTime)
   at Microsoft.Exchange.Management.DDIService.CertificateHelper.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)

Flight info: Features:[[Global.DistributedKeyManagement, False],[Global.GlobalCriminalCompliance, False],[Global.MultiTenancy, False],[Global.WindowsLiveID, False],[Eac.AllowMailboxArchiveOnlyMigration, True],[Eac.AllowRemoteOnboardingMovesOnly, False],[Eac.CmdletLogging, True],[Eac.CrossPremiseMigration, False],[Eac.DiscoveryPFSearch, False],[Eac.DlpFingerprint, False],[Eac.GeminiShell, False],[Eac.Office365DIcon, False],[Eac.UnlistedServices, False],],  Flights:[],  Constraints:[[mode, enterprise],[user, Administrator@],[org, ],[loc, en-AU],], IsGlobalSnapshot: False
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.