Problem
You’ve recently updated the certificates for your Exchange 2016 servers:
You notice that the ECP / EAC page no longer load properly upon successfully logging in after reassigning the new certificate, deleting the old certificate and restarting the server:
Reviewing the event logs show the following error constantly logged on the Exchange server(s):
Log Name: System
Source: HttpEvent
Event ID: 15021
Level: Error
An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.
Solution
The error above could be caused by the port 444 SSL certificate binding continuing to reference the old deleted certificate. To determine whether this is the case, start the command prompt and execute the following command:
netsh http show sslcert
The command should list the SSL certificate bindings for the server similar to the following:
C:>netsh http show sslcert
SSL Certificate bindings:
————————-
IP:port : 0.0.0.0:443
Certificate Hash : d0da0b35cf91c55b91a10755c0b4b11dfb1d3ff9
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
IP:port : 0.0.0.0:444
Certificate Hash : c71d3d6f9673dcec57d8c76602562d58bd69d9b9
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
IP:port : 0.0.0.0:8172
Certificate Hash : 403a6eac00d494c03288a1df779aeae7a131886f
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
IP:port : 127.0.0.1:443
Certificate Hash : d0da0b35cf91c55b91a10755c0b4b11dfb1d3ff9
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
C:>
The output we’re interested in are as follows:
IP:port : 0.0.0.0:444
Certificate Hash : c71d3d6f9673dcec57d8c76602562d58bd69d9b9
——————————————————————————————————————-
Also make a note of the following information which we will need later:
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
——————————————————————————————————————-
Confirm that the IP:port : 0.0.0.0:444 is indeed referencing the old certificate by reviewing the thumbprint of the old deleted certificate with the Certificate Hash:
Note that the thumbprint in the screenshot above matches the certificate hash generated above. Once confirmed that the IP:port : 0.0.0.0:444 is indeed referencing the old certificate, proceed to delete the binding by executing the following command:
netsh http delete sslcert ipport=0.0.0.0:444
Execute netsh http show sslcert to confirm that the binding has been deleted:
Proceed with creating the binding with the new certificate by executing a command that references the Application ID that we made a note of earlier:
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
… and obtaining the thumbprint of the new certificate that we’ll be using:
Use the information above to execute the following command:
netsh http add sslcert ipport=0.0.0.0:444 certhash=d0da0b35cf91c55b91a10755c0b4b11dfb1d3ff9 appid=”{4dc3e181-e14b-4a21-b022-59fc669b0914}”
The errors written in the event logs should now be corrected. Proceed to repeat these steps on all of the affected Exchange servers.