Exchange WEbMail Certificate expired

Output for this command, i.e. Get-ExchangeCertificate |FL ;


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=webmail.domain.com.au, OU=”IT”, O=”localdomain”, L=”Brisbane”, S=”QLD”, C=AU
NotAfter           : 2/08/2016 2:38:28 PM
NotBefore          : 2/08/2015 2:38:28 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 2432AE43855FA29B4023186319F7E89F
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=webmail.domain.com.au, OU=”IT”, O=”localdomain”, L=”Brisbane”, S=”QLD”, C=AU
Thumbprint         : 432FB48C6ADBB08D062C710352A312E5C34E32DF

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal...}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=webmail.domain.com.au, OU=IT, O=localdomain, L=Brisbane, S=QLD, C=AU
NotAfter           : 2/08/2016 9:30:53 AM
NotBefore          : 2/08/2015 9:10:53 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 089E8CE5EC74AE8849F23EE15100A74B
Services           : None
Status             : Valid
Subject            : CN=webmail.domain.com.au, OU=IT, O=localdomain, L=Brisbane, S=QLD, C=AU
Thumbprint         : 2CDC28049F1727CBE6CD24C64C83AD9B8C482821

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : C=AU, S=”QLD”, L=”Brisbane”, O=”localdomain”, OU=”IT”, CN=webmail.domain.com.au
NotAfter           : 2/08/2016 3:37:08 AM
NotBefore          : 2/08/2015 3:17:08 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3FE5A404B66E04AE4D7EFA993C0CDABF
Services           : None
Status             : Valid
Subject            : C=AU, S=”QLD”, L=”Brisbane”, O=”localdomain”, OU=”IT”, CN=webmail.domain.com.au
Thumbprint         : BFC6AA7FB004A32FFDCC20B822D6EFBC49CBFAA0

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 2/08/2016 3:07:16 AM
NotBefore          : 2/08/2015 3:07:16 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 47FCF1127BDAD29647614998DBF14CE8
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 5A2DEF3EBD6A951D64F97A2972932088EF4E649C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 2/08/2016 12:53:37 AM
NotBefore          : 2/08/2015 12:53:37 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 68AF331B53583F9149BD161E9716AB8D
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 9769CA59E79A263A0FB7DFD457D07A643B3B7F83

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 1/08/2016 10:31:32 PM
NotBefore          : 1/08/2015 10:31:32 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3819607C9454F9B54B8EFDB9C6C0C5F6
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 06824E13CCE4514424168FF105DC54A732B1FCAF

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 1/08/2016 9:34:03 PM
NotBefore          : 1/08/2015 9:34:03 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 27AE24DA4D6734914E0ACDA0EDEF5D6B
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 05560459698E1D8865216F271E41CD40109E3CB9

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal...}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=TTSP-CA, DC=ttsp, DC=internal
NotAfter           : 1/08/2015 11:25:34 AM
NotBefore          : 1/08/2013 11:25:34 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 659034A700010000016B
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=webmail.domain.com.au, OU=IT, O=localdomain, L=Brisbane, S=QLD, C=AU
Thumbprint         : 94A80E70EFF1B2C5932009B164CF988CD653E525

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal...}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=TTSP-CA, DC=ttsp, DC=internal
NotAfter           : 25/05/2014 3:13:21 PM
NotBefore          : 25/05/2012 3:13:21 PM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 76BA831E0001000000DD
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=webmail.domain.com.au, O=local domain South Pacific Holdings Pty Ltd, C=AU
Thumbprint         : 575B73C9CB836D40ED799790EA297A1DB7640CFD

This is a self issued certificate, as such it will not be trusted. You need to purchase a (preferably UC) certificate from a trusted authority. The provider will generally have a guide for how to install it.

You dont mention what version of server you are running, but they have guides for most.

Cheers
Andrew

Please post the result of the command

Get-ExchangeCertificate | fl issuer,IsSelfSigned,NotAfter,thumbprint

Select allOpen in new window

Please use this to create new CSR
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f

Output for this command, i.e. Get-ExchangeCertificate |FL ;


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=webmail.domain.com.au, OU=”IT”, O=”localdomain”, L=”Brisbane”, S=”QLD”, C=AU
NotAfter           : 2/08/2016 2:38:28 PM
NotBefore          : 2/08/2015 2:38:28 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 2432AE43855FA29B4023186319F7E89F
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=webmail.domain.com.au, OU=”IT”, O=”localdomain”, L=”Brisbane”, S=”QLD”, C=AU
Thumbprint         : 432FB48C6ADBB08D062C710352A312E5C34E32DF

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal...}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=webmail.domain.com.au, OU=IT, O=localdomain, L=Brisbane, S=QLD, C=AU
NotAfter           : 2/08/2016 9:30:53 AM
NotBefore          : 2/08/2015 9:10:53 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 089E8CE5EC74AE8849F23EE15100A74B
Services           : None
Status             : Valid
Subject            : CN=webmail.domain.com.au, OU=IT, O=localdomain, L=Brisbane, S=QLD, C=AU
Thumbprint         : 2CDC28049F1727CBE6CD24C64C83AD9B8C482821

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : C=AU, S=”QLD”, L=”Brisbane”, O=”localdomain”, OU=”IT”, CN=webmail.domain.com.au
NotAfter           : 2/08/2016 3:37:08 AM
NotBefore          : 2/08/2015 3:17:08 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3FE5A404B66E04AE4D7EFA993C0CDABF
Services           : None
Status             : Valid
Subject            : C=AU, S=”QLD”, L=”Brisbane”, O=”localdomain”, OU=”IT”, CN=webmail.domain.com.au
Thumbprint         : BFC6AA7FB004A32FFDCC20B822D6EFBC49CBFAA0

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 2/08/2016 3:07:16 AM
NotBefore          : 2/08/2015 3:07:16 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 47FCF1127BDAD29647614998DBF14CE8
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 5A2DEF3EBD6A951D64F97A2972932088EF4E649C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 2/08/2016 12:53:37 AM
NotBefore          : 2/08/2015 12:53:37 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 68AF331B53583F9149BD161E9716AB8D
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 9769CA59E79A263A0FB7DFD457D07A643B3B7F83

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 1/08/2016 10:31:32 PM
NotBefore          : 1/08/2015 10:31:32 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3819607C9454F9B54B8EFDB9C6C0C5F6
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 06824E13CCE4514424168FF105DC54A732B1FCAF

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {BNEMES01, BNEMES01.ttsp.internal}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=BNEMES01
NotAfter           : 1/08/2016 9:34:03 PM
NotBefore          : 1/08/2015 9:34:03 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 27AE24DA4D6734914E0ACDA0EDEF5D6B
Services           : SMTP
Status             : Valid
Subject            : CN=BNEMES01
Thumbprint         : 05560459698E1D8865216F271E41CD40109E3CB9

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal...}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=TTSP-CA, DC=ttsp, DC=internal
NotAfter           : 1/08/2015 11:25:34 AM
NotBefore          : 1/08/2013 11:25:34 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 659034A700010000016B
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=webmail.domain.com.au, OU=IT, O=localdomain, L=Brisbane, S=QLD, C=AU
Thumbprint         : 94A80E70EFF1B2C5932009B164CF988CD653E525

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt
                     oKeyAccessRule}
CertificateDomains : {webmail.domain.com.au, evault.domain.com.au, webmail.local.domain.com.au, autodiscover.domain.com.au, autodiscover.local.domain.com.au,
                      autodiscover.elamotors.com.pg, autodiscover.asco.com.fj, autodiscover.ela.com.sb, autodiscover.asco.vu, autodiscover.asco.com.to, autodis
                     cover.asco.ws, autodiscover.asco.as, ttcars.domain.com.au, bnemes01.ttsp.internal, bnevlt01.ttsp.internal, evault.ttsp.internal...}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=TTSP-CA, DC=ttsp, DC=internal
NotAfter           : 25/05/2014 3:13:21 PM
NotBefore          : 25/05/2012 3:13:21 PM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 76BA831E0001000000DD
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=webmail.domain.com.au, O=local domain South Pacific Holdings Pty Ltd, C=AU
Thumbprint         : 575B73C9CB836D40ED799790EA297A1DB7640CFD

Download the tool and create CSR.
Then renew your certificate.
https://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htm

Configure your certificate and other URLs
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html

do i need to purchase single site SSL certificate or multi site SSL certificate?

MAS Step1 of your instructions for the first link is to install the certificate, which certificate i am installing?

You need to have multiple domain (UC) certificate from a 3rd party CA
Create CSR using my tool provided above.
Let them issue the certificate and then download the certificate from the control panel of the 3rd party CA portal.
Then install using the link provided above

You need 2 names if you have only 1 email domain.
1. mail.emaildomain.com
2. autodiscover.emaildomain.com
It is explained my article above regarding the names required

Certification has been installed and emails have started coming, but now on outlook and on some websites we are getting the following error attached.
Website-Error.jpg
Exchange-Email-cert-fail-1.JPG

The errors are still not fixed :-(
[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
C941FFCAB21DC6BCD1FC5F0F2E4955351CE83767  IP.WS      CN=webmail.domain.com.au, OU=Domain Control Validated
5A2DEF3EBD6A951D64F97A2972932088EF4E649C  ....S      CN=BNEMES01
9769CA59E79A263A0FB7DFD457D07A643B3B7F83  ....S      CN=BNEMES01
575B73C9CB836D40ED799790EA297A1DB7640CFD  IP..S      CN=webmail.domain.com.au, O=local South Pacific Holdings Pty Ltd, C=AU

for the top one i.e. C941FFCAB21DC6BCD1FC5F0F2E4955351CE83767, what do I have to do , so that for its services, it will display....IP..S

Enable-ExchangeCertificate -Server 'EXCH-H-868' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'C941FFCAB21DC6BCD1FC5F0F2E4955351CE83767'

should do the trick

That certificate is only purchased for webmail (From GoDaddy). So still I should enable it for IMAP,POP and SMTP?

getting this error when i run the command you listed.....

Enable-ExchangeCertificate : A parameter cannot be found that matches parameter name 'Server'.
At line:1 char:35
+ Enable-ExchangeCertificate -Server <<<<  'Exchange' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'C941FFCAB21DC6BCD1FC5F0F2E4955351CE83767'
    + CategoryInfo          : InvalidArgument: (:) [Enable-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Exchange.Management.SystemConfigurationTasks.EnableExchangeCertificate

Please run this on all servers and let me know

Enable-ExchangeCertificate -Services 'IMAP, POP, IIS, SMTP' -Thumbprint <Thumbprint-of-the-new-certificate>

Select allOpen in new window

Thanks guys, on browser, its still tying to refer to old cert, even though I have deleted it.
We have a TMG server as well, do I have to do anything on it? I have already imported the certificate on TMG server.
kindly see the attached error.
Cert.jpg

The one I posted is the expired one, and I got the new cert from GoDaddy, the old one is already deleted......under services for new cert it shows  IP.WS

I believe it should show IP..S ?

It shouls be like this on the new Godaddy certificate
IP.WS  
IMAP, POP, IIS, SMTP  (command result)

So what do I have to do, so that on browser it starts pointing to new cert?

post the result of this command

Get-ExchangeCertificate | fl Services,IsSelfSigned,Thumbprint

Select allOpen in new window

Services     : IMAP, POP, IIS, SMTP
IsSelfSigned : False
Thumbprint   : C941FFCAB21DC6BCD1FC5F0F2E4955351CE83000

This is correct.
Anyway please check the certificate thumbprint when you open OWA by clicking view certificate.
If it is not the same then there is some intermediate device is in play

When I access owa it gives IIS7 screen.
Are there any further checks I can do?

open OWA by typing https://mail.domain.com/owa

Already tried this, getting this message....
The webpage at https://mail.domian.com/owa might be temporarily down or it may have moved permanently to a new web address.

I can access it by IP address, not by mail.domain.com name.....

ok, how can I check it if its splitDNS or not?
and how can I resolve it?

what IP is returned when you ping mail.domain.com
it should return the IP of the server, not the IP of your external interface.

To get it to return the IP of your server you need to create a primary zone in your DNS server for domain.com and then create an a record for mail that points to the server. This is called a split DNS as the IP returned is different from internal to external.

Cheers
Andrew

Exceptional assistance, too good, thanks to all experts for there assistance...