Clicked "Renew" certificate in Exchange 2013 and then admin site immediately crashes

Exchange 2013 is the best when it's working but good god almighty is it a total pain when you screw one thing up.  It's 2015 and the autodiscover service still is unbelievably difficult to get to actually work on external devices like iPhones, I was troubleshooting it and found my alternative subject names had the "AutoDiscover.domain.com" capitalized and of course naturally something like that which makes no difference in the real world causes the whole process not to work.  So I went to Exchange admin center >  Servers  >  Certificates and clicked "Renew" on the main certificate file and POOF!!  Admin center no longer opens.  Just like that.  THANKS MICROSOFT!!!

Would love it if anybody can tell me why it is I'm too stupid to figure this thing out and how to fix it, and/or why clicking one friggin link can bring down all of Exchange administration.
LVL 2
tphelps19IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tphelps19IT ManagerAuthor Commented:
The error message I get is "Certificate Error:  Navigation Blocked".
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

What's the error you're getting when you try to open EAC. So you mean to say that you renewed the autodiscover certificate which in turn failed the EAC. Can you check the SSL certificate of the Default web site from the IIS manager and see if its pointing to the correct certificate please.

Thanks
Manikandan
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Were you getting the message previously usually this error we get if we use a private certificate or we use the certificate which is created at the time of installation of exchange. You can replace this certificate by obtaining a private certificate from your internal CA where the EAC url's are added in the certificate.

Thanks
Manikandan
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Usually we receive this warning because the certificate is from untrusted publishers. Hence you have two ways either you add the certificate to trusted publishers and Trusted root certification authorities or obtain a new Certificate from the internal CA.

Thanks
Manikandan
Md. MojahidCommented:
This error happens when someone tries to access to a server while the certificate is created for another one. For example, you are trying https://zzz.example.com and the certificate was created for https://www.example.com (that's the innocuous one). Or when somebody is trying to fool you in order to make you connect to a malicious server (the dangerous one). You can see the certificate properties and check what domain was it created for and if that domain is the same you are connecting.

Are you accessing to exactly the same address from the PC with the error and the other two? Are you writing the url or choosing it from Favorites?

Is the server a public accessible one or is it in an intranet? If public, what's the url you are accessing?
tphelps19IT ManagerAuthor Commented:
No it's not that.  This isn't a pop up error, this is an ENTIRE error where you CAN'T access the Exchange Admin Center.  The title of the page just says "Certificate Error:  Navigation Blocked".  I swear all I did was click "Renew" on the certificate because I couldn't figure out how to change the subject alternative names.
C--Users-tphelps-Desktop-Exchange2013Adm
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Go to IIS Select the Exchange BackEnd > Right Click go to Bindings > Select the https protocol and see if the certificate which is showing is the default one known as Microsoft exchange if any other certificate is showing from the drop-down menu select the Microsoft Exchange and try to access the EAC again

Thanks
Manikandan
tphelps19IT ManagerAuthor Commented:
It was set to the original certificate I created when I first build the server (although I don't remember how I did, I just know it's that one because I named it something unique).  I've tried changing the bindings on both the default website and backend website to be every different possible certificate and none of them work.  When I double click the shortcut for Exchange Admin Center it always tries to take me to this URL:

https://ssd-mail01/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fssd-mail01%2fecp
tphelps19IT ManagerAuthor Commented:
Here is a couple of screen shots of the bindings.  Naturally the window doesn't expand because Microsoft engineers still don't understand that people need more than 2 inches to see the info on the screen.
C--Users-tphelps-Desktop-Bindings-for-De
C--Users-tphelps-Desktop-Bindings-for-Ba
tphelps19IT ManagerAuthor Commented:
WOW.... so get this.  I had to go hook up another computer and access the admin center from it because it won't open from the Exchange server.  Now that I can get into the admin center, how the heck do I delete every single certificate and just start over??
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Delete it from Exchange admin center >  Servers  >  Certificates

Thanks
Manikandan
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Don't delete the default one known as Microsoft Exchange delete the one which you renewed after which this issue appeared.

Thanks
Manikandan
tphelps19IT ManagerAuthor Commented:
How do you create a new one with all the right alternative subject names?
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

The certificate creation steps are pretty simple you have to create it from Exchange admin center >  Servers  >  Certificates. Make sure that the names mentioned on the certificates are correct those are case sensitive. Refer the link which will give you an idea to create certificates for Exchange 2013.

http://exchangeserverpro.com/create-ssl-certificate-request-exchange-2013/

Thanks
Manikandan
Simon Butler (Sembee)ConsultantCommented:
Autodiscover on mobile devices is very hit and miss - more miss than hit.
I tell clients to always have manual instructions available, because you will need them.

That isn't the fault of Exchange, but due to the way that the mobile device vendor has implemented ActiveSync. It is one of the reasons many think that Microsoft bought Accompli - so that they have a standard client under their control rather than the mixture of clients created by the vendors.

Exchange 2013 uses two web sites and therefore it is easy to screw up the bindings. The quickest way to deal with that is to use EMS and run new-exchangecertificate (no further commands). That will create a new certificate bound to the correct web site. That should give you access to the server again and allow you to apply a trusted SSL certificate instead.

Simon.
tphelps19IT ManagerAuthor Commented:
I tried to remove the cert and this is the error message I get.
C--Users-tphelps-Desktop-CantRemovCert.p
Simon Butler (Sembee)ConsultantCommented:
That isn't a valid image file, so you will need to either post the error message or try again.

Simon.
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Try to run this command to remove the exchange certtificate. Also you can refer the below link for reference

Get-ExchangeCertificate
Remove-ExchangeCertificate -Thumbprint (Paste the Thumbprint of the certificate)

http://exchangeserverpro.com/remove-ssl-certificate-exchange-server-2013/

Thanks
Manikandan
tphelps19IT ManagerAuthor Commented:
When I run that command the "problem" cert (which I'm not sure how to tell it's the problem other than it's the main one I've bee dealing with) is not in the list.  It doesn't show up but it shows up in IIS and Exchange Admin Center.  I was able to create a new self signed cert but that now has taken down my local Outlook.
Simon Butler (Sembee)ConsultantCommented:
Creating a new local certificate will cause Outlook to stop working as it puts in a self signed untrusted certificate. However that will allow you to login to ECP and create a new SSL request. That can then be installed and enabled through ECP.

Simon.
tphelps19IT ManagerAuthor Commented:
I've created a new cert but that doesn't seem to do anything.  I've checked IIS and the cert is listed for 443 and 444 for both the default website and backend website.  What else could I be doing wrong?  I can't even open Outlook because of a "problem with the proxy's server certificate".  I'm so lost..
tphelps19IT ManagerAuthor Commented:
So after a $500 Microsoft support incident the problem turns out to be quite common.  Once you click "Renew" it instantly creates a new certificate and needs to be re-added to the "Trusted Certificate Authorities" on both the Exchange Server AND on the machine you're connecting to Outlook with.

So the moral of the story is clicking the "Renew" link in Exchange Admin Center under Servers > Certificates breaks your entire setup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tphelps19IT ManagerAuthor Commented:
Found answer myself after paying Microsoft for the solution.  I swear they create the disease and then sell you the cure.  Much like religion.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.