Don’t Let Certificate Expire!

Sadly, many Exchange admins don’t do due diligence and ensure proper maintenance on Exchange Server Certificates!
If an Exchange server (2013/2016) is allowed to expire it’s Certificate and you attempt an CU update, the update will fail and it will leave your exchange server broken!
Prerequisite analysis will complete:

But the update will throw this error:
Mailbox role: Transport service FAILED The following error was generated when “$error.Clear(); Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true) { Install-AuthCertificate -DomainController $RoleDomainController } ” was run: “System.Security.Cryptography.CryptographicException: The certificate is expired. at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception , ErrorCategory errorCategory, Object target, String helpUrl) at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception , ErrorCategory category, Object target) at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCert ificate.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String fun cName, Action func, Boolean terminatePipelineIfFailed)”.
Searching you might find all kinds of advise on renewing the certificate until you discover you can’t connect to exchange using any tools (e.g. Powershell, EAC).
Before you start sending your resume to Companies looking for an Exchange Administrator, Open IIS Manager on the Exchange server and select the default web site and go to bindings in action pane. Edit bindings for HTTPS (both of them). Choose ‘Microsoft Exchange’ (open certificate to make sure you have the correct certificate).
Re-Run the CU update. You can generate a new Certificate in IIS Manager if needed.
Best Practice is to use a Valid 3rd party Certificate for Exchange Server.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s