We've all been there... you are sitting at home and suddenly your life flashes before you.... Your internet is down! What will you do? How will life continue? Is this the end? Just kidding...

Sometimes though - especially if you are a cord-cutter like me losing internet can be a real pain. But, before calling your provider, I'd urge you to arm yourself with some valuable info. It could save you some time and heartache. Before we even start though. understand that this is a 10,000 foot view. This is VERY basic. There are tons of options and things you can do to troubleshoot internet connectivity and network in general. This guide is really designed for you to figure out ONE thing. Is it my provider? Is it my computer? Or is it some other thing out on the internet? In other words, DO I NEED TO CALL TECH SUPPORT? So here we go...

PING to the rescue
PING is an invaluable network troubleshooting tool. It is run from a command prompt or a terminal window. It's function is essentially just like yelling "hey! are you there?" and waiting for a response from the other side. Depending on who you "yell" these calls to - it can help you figure out where your problem is.

To get started, you have to open a command prompt. Do this by clicking your start menu and typing cmd and hitting the enter key. You should be presented with a window similar to this:

Now, we are just going to yell out to google and see if our computer can see them... If not, that's not usually a good sign. So as show below, we are going to type ping google.com and hit the enter key. (for the purposes of this blog post, please only type letters that are in BOLD letters.

As you can see above, google.com IS RESPONDING! You can see Reply from 64.233.177.139 which is essentially google saying "I'm here!" which is GOOD. But let's say you got the response below:

This means you might have a problem. Why? Because google.com might be one of the most reliable sites on the globe. The chances that google.com are down are REALLY REALLY LOW. So now we need to find out where the failure is, because most likely it is NOT google.com being broken. So our next command is called tracert and it will show us more information about where the difficulty is. So we are still going to use google.com for this. So now we type tracert google.com then hit the enter key.

So along the left, we see the HOPS to get to your destination. They go from 1 to 24 in this case. Picture my computer in Florida trying to yell at a computer over on the coast of California. It's not going to be from my computer -> internet -> google.com to get there in 3 hops. No, your traffic crosses all sorts of networks to get to google.com. But if you look along the right you can see:

1 NEEDS-MORE-COWB [10.30.1.1] (This is my Linksys Router and yes my WiFi is called "Needs More Cowbell")
2 192.168.1.254 (This is my provider's modem or router)
3 99-163-68-1.lightspeed.jcvlfl.sbcglobal.net [99.163.68.1] (This is the first hop after my router) 

So I'm not going to go through every hop... but what does this command output tell us? Well, see down at line 15? You start seeing * * * Request Timed Out. over and over? This means we have a communication loss at that hop. That hop is FOURTEEN HOPS from your computer. That could be ANYWHERE, in this case that hop happens to be GOOGLE so the drops are happening at GOOGLE. This doesn't mean they are down, but it could mean they are most likely blocking PING across part of the network they own. Most importantly though, it's not really near your house or your home network. So calling tech support on this and having some tech come out to your house is going to be a waste of your time in most cases right? Same thing if this happens on hop #5... that's NOT your computer or your router right? It's off your network. Now, if you get Request timed out on hop ONE or TWO? You might need to reboot your router or routers in my case. Does that make sense? I'm just rebooting the things that aren't "talking" or yelling back on the network that are under my control. Because we can't control hop #15 can we?

So calling your ISP - this could help on a situation where hop #5 is dropping because they might be having an issue on their network. But lets go back to PING for a moment. Because if you ARE getting off your network but some sites aren't working. That is helpful for the tech to know. Like:

I can ping google.com
I can ping usatoday.com
I can ping amazon.com
I cannot ping facebook.com
I cannot ping instagram.com

But I will say as well, check out https://istheservicedown.com for a semi-good look into issues at major sites and providers. This site gets it's info purely from users reporting issues so it's not 100% accurate, but it can be a barometer or a 2nd opinion to look at.

Want to know more about a particular IP address you see in your tracert? Check out: https://www.ultratools.com/tools/ipWhoisLookup

If you enter the IP address, it will tell you owns the network, and it's rough location sometimes.

​I hope this stuff is helpful. Hit me with question in the comments if you want.

Building the Cert file to create a new Trusted Point in UCS

1. Login to your Windows CA web services site (https://yourCAhostname.yourADdomain.com/certsrv) and click on Download a CA certificate, certificate chain, or CRL. Say yes to the box about "...attempting to perform a certificate operation on your behalf..."
2. On the next screen select the current root certificate, Select Base 64 encoding, and then click on "Download CA certificate". Then click "Save As..." and save the .cer file to a location that will be easy to get back to. Also name it something that makes sense like "Company-Issuing-CA.cer" so you can tell which cert it is.
3. We now need to create a .cer file of the Root CA to build the chain needed for the UCS server. So now open the certificate you just downloaded by double-clicking on it. Click on the Certification Tab on the top. Click on the "Company-Root-CA" in the top box.
4. Click "View Certificate" then go to the "Details" tab and click the "Copy to File..." button. Then click "Next".
5. Pick the Base-64 encoded X.509 (.CER) option, then click "Next"
6. Click the browse button and save the file in the same spot as the other .cer file and name it "Company-Root-CA.cer" then click "Next" then click finish.
7. We need to create a text file now that has both certs in it as a chain. This must be done in this format:
   -----BEGIN CERTIFICATE-----
   <Company-Issuing-CA.cer txt Contents>
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   <Company-Root-CA.cer txt Contents>
   -----END CERTIFICATE-----

This new text file is the file we will use to create a new "Trusted Point" in the UCS.

Creating the Trusted Point in UCS Manager

1. Login to Cisco UCS Manger and go to "Admin" > "Key Management" then click on the "Trusted Points" tab along the top of the right-hand section
2. Along the bottom of the page you will see a grey bar along the bottom with a circle with a "+" symbol in it with the word "Add" next to it, click on that.
3. Name the Trusted Point... Call it "Company-Issuing-CA" after the CA that we are using (although the name doesn't matter it's just easier to see in later steps). Next, paste the contents of the file we created in part one in the "Certificate Chain" box (the one with the two thumbprints ---BEGIN CERTIFICATE---- ----END CERTIFICATE---. Now say "Ok" and allow that box to close. You should now have a Trusted Point called "TP Company-Issuing-CA"
4. Now we need to create a new keyring. So, across the top of that panel again pick the "Key Rings" tab.
5. Along the bottom of the page you will see a grey bar along the bottom with a circle with a "+" symbol in it with the word "Add" next to it, click on that.
6. Name the keyring whatever you want - but I called it something like the hostname we are using (ucs-mini) and then select the "Mod2048" radio button. then say OK.
7. Click on your newly created Key Ring then right-click it and say "Show Navigator" which will pop a new dialog box.
8. Along the left, click the "Create Certificate Request" link in blue. Fill out the form that pops up. For DNS: make sure you are using whatever DNS name that you are using in DNS to resolve the chassis. Also, make sure you fill out the 3 IP addresses in the IPv4 tab across the bottom. This will create "Subject Alternative Names" in the cert so you can access the manager and both Fabric Interconnect's by IP without getting a cert warning. Once you are done say OK.
9. Now in that same box, if you expand the "Request" section on the right (it may already be expanded) you can see your request file needed to create the request in IIS on the CertSvr site. Copy the text using "Ctrl-C"
10. Now browse to https://yourCAserver.yourADdomain.com/certsrv/ and select "Request a certificate"
11. Click "advanced certificate request"
12. Next, click the link that starts with "Submit a certificate request by using a base-64 encoded CMC of PKCS#10 file..."
13. In the middle of the page - select the Certificate Template you want to use for the Certificate (Web Server)
14. Paste the info from step 9 you "Ctrl-C-ed" into the Saved Request box and click the "Submit >" button
15. Download the new certificate in the .CER file format (you will need to open it in notepad).
16. Back in UCS Manager open the properties of your Key Ring you created in steps 4-6, then expand the "Certificate" portion of the box along the right.
17. Pick the trusted point we will be associating with this certificate (the one we created earlier in steps 1-3).
18. Paste the text from your .cer file we requested from IIS in step 15. Then say "OK" to save that.

Activating the new PKI/SSL stuff

1. Select "Admin" > "Communnication Management" > "Communication Services"
2. Scroll down to the portion of the page on the right that says "HTTPS" look for the "Key Ring" drop down. Click on it and select the Key Ring you created in the previous section, then click the "Save Changes" button in the bottom right. It's going to tell you that you will be disconnected from your session which is fine you can accept that.
3. At this point you should be able to access UCS Manager from the hostname you gave it, the IP address without getting any SSL warnings. 

Reference Websites Used:
https://www.derekseaman.com/2012/04/install-trusted-ssl-certificate-in.html
https://community.cisco.com/t5/unified-computing-system/pki-cert-issue-ucs-manager/td-p/2004407
​

There are plenty of sites that show you how to apply a new SSL cert to your Exchange 2010 Environment. There are a few gotcha's though that quite a few seem not to mention. Here are the ones I ran into when I did this the other day:

1. The SAN Certificate is specific to the machine used to create the cert request, it cannot be imported to any other Exchange servers unless you first export it as a PFX. You must re-key the certificate using a new request from the new server. Back in the 2003 Exchange days, you could just move the *.domain.com cert from one server to another pretty easily. Not so with 2010.
2. During the 2nd part of IMPORTING the certificate using the “New Exchange Certificate” wizard, you must have the certificate REQUEST file (.req) you created in the beginning in the same folder as the certificate you download from the SSL provider. Exchange uses both to format the certificate. 
3. If you have a Forefront TMG Server in front of your Exchange Server, you will need to update the SSL cert on this device as well.