Monday, October 2, 2017

Installing Exchange Server 2016 CU7 fails with the error: “…was run: "System.Security.Cryptography.CryptographicException: The certificate is expired.”


You’ve started the installation of Exchange Server 2016 Cumulative Update 7 but notice that it fails at the step Mailbox role: Transport service with the following error:


The following error was generated when "$error.Clear();

Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController

if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)


Install-AuthCertificate -DomainController $RoleDomainController


" was run: "System.Security.Cryptography.CryptographicException: The certificate is expired.

at Microsoft.Exchange.Configuration.Task.Task.ThrowError(Exception exception, ErrorCatagory errorCatagory, Object target,

String helpUrl)

at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()

at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecrod>b_91_1()

at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolen




The reason why the installation of the CU update failed is because the process attempts to validate the certificate Exchange Server 2016 is using for its services and if an expired certificate is found to be binded to a service, the update will fail.  What usually causes panic at this point is that the Exchange server services are not going to be up and trying to launch the Management Shell would prompting show that Exchange PowerShell cmdlets are not available:


To get through this issue, you can simply assign a valid certificate via the Internet Information Services (IIS) Manager console:


Note that the screenshot above has the binding configured with the self-signed certificate generated by the initial Exchange 2016 installation.  Using the self-signed certificate is a good way to workaround not being able to proceed with the CU install while you renew the certificate.

With the certificate bindings configured with a valid certificate, proceed to rerun the CU update and it should complete as expected: