IT Praktyk Blog

Exchange Server 2013 Cumulative Update installation fails when expired certificate is assigned

Posted May 17, 2016; Last update June 02, 2016

Introduction

Recently I updated my lab with Exchange Server 2013 CU10. Under this process I tried install Cumulative Update 12 for Exchange Server 2013 - KB3108023 on the first server also.

Action

I run the installation process with GUI - I planned take some screenshots to update a work instruction - and after successfully checked prerequisites installation process started.

Results

Result 1

Error:
The following error was generated when "$error.Clear();
    Install-ExchangeCertificate -services IIS-DomainController $RoleDomainController
    if ($RolelsDatacenter -ne $true -and $RolelsPartnerHosted -ne $true)
    {
      Install-AuthCertificate -DomainController $RoleDomainController
    }
  " was run: "System.Security.Cryptography.CryptographicException: The certificate expired.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategrory errorCategory, Object target)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>>b_b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName,Action func, Boolean terminatePipelineIfFailed)".

Result 2

Your Exchange Server is unusable and need to be recovered from a backup.

Resolution

  1. I restored server from the backup.
  2. I issued the new certificate for the server.
  3. Assigned the new certificate for Exchange services.
  4. I run installation of Cumulative Update 12 for Exchange Server 2013 once again, installation was end successfully

Summary

You can’t install cumulative update for Exchange Server 2013 when expired certificate is assigned to any (?) Exchange services.

Remarks

  1. The descriptoin of Cumulative Update 12 for Exchange Server 2013, KB3108023, is available here
  2. The certificates assigned to Exchange servers in the whole environment you can check using the script authored by Paul Cunnigham availabe in the Microsoft TechNet Gallery

Updates