https://www.vcloudnine.de/microsoft-exchange-2013-shows-blank-ecp-owa-after-changes-to-ssl-certificates/

EDIT

This issue is described in KB2971270 and is fixed in CU6.

I ran a couple of times in this error. After applying changes to SSL certificates (add, replace or delete a SSL certificate) and rebooting the server, the event log is flooded with events from source “HttpEvent” and event id 15021. The message says:

An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

1	An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

If you try to access the Exchange Control Panel (ECP) or Outlook Web Access (OWA), you will get a blank website. To solve this issue, open up an elevated command prompt on your Exchange 2013 server.

C:\windows\system32>netsh http show sslcert SSL Certificate bindings: ------------------------- IP:port : 0.0.0.0:443 Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 0.0.0.0:444 Certificate Hash : a80c9de605a1525cd252c250495b459f06ed2ec1 Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 0.0.0.0:8172 Certificate Hash : 09093ca95154929df92f1bee395b2670a1036a06 Application ID : {00000000-0000-0000-0000-000000000000} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 127.0.0.1:443 Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

C:\windows\system32>netsh http show sslcert   SSL Certificate bindings: -------------------------       IP:port                      : 0.0.0.0:443     Certificate Hash             : 1ec7413b4fb1782b4b40868d967161d29154fd7f     Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled       IP:port                      : 0.0.0.0:444     Certificate Hash             : a80c9de605a1525cd252c250495b459f06ed2ec1     Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled       IP:port                      : 0.0.0.0:8172     Certificate Hash             : 09093ca95154929df92f1bee395b2670a1036a06     Application ID               : {00000000-0000-0000-0000-000000000000}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled       IP:port                      : 127.0.0.1:443     Certificate Hash             : 1ec7413b4fb1782b4b40868d967161d29154fd7f     Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled

Check the certificate hash and appliaction ID for 0.0.0.0:443, 0.0.0.0:444 and 127.0.0.1:443. You will notice, that the application ID for this three entries is the same, but the certificate hash for 0.0.0.0:444 differs from the other two entries. And that’s the point. Remove the certificate for 0.0.0.0:444.

C:\windows\system32>netsh http delete sslcert ipport=0.0.0.0:444 SSL Certificate successfully deleted

1 2 3

C:\windows\system32>netsh http delete sslcert ipport=0.0.0.0:444   SSL Certificate successfully deleted

Now add it again with the correct certificate hash and application ID.

C:\windows\system32>netsh http add sslcert ipport=0.0.0.0:444 certhash=1ec7413b4fb1782b4b40868d967161d29154fd7f appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}" SSL Certificate successfully added

1 2 3

C:\windows\system32>netsh http add sslcert ipport=0.0.0.0:444 certhash=1ec7413b4fb1782b4b40868d967161d29154fd7f appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}"   SSL Certificate successfully added