Exchange 2013: Expired certificates and Service Pack 1 (Caution!)

by

When installing Service Pack 1 for Exchange 2013, a nasty error can occur under certain circumstances. This is caused by expired certificates that are used by Exchange services. A reader pointed out the problem to me and I was able to reproduce it in a test environment. Here are the details:

When checking the prerequisites, everything is still OK, no warnings or errors are displayed:

1

The installation starts and aborts at step 10 of 18 with the following error message:

Expired certificates

In the SP1 setup window, you can only click on "Exit" to return to the Windows desktop. The error message already indicates that a certificate has expired. The really nasty thing is that neither the Exchange Admin Center (EAC) nor the Exchange Management Shell (EMS) start after the failed update.

The EMS displays the following error message:

1
2
3
4
5
6
7
8
9
10
11
:
.
+
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4

EAC only displays an IIS error message:

1
2
3
4
5
6
.
.

3

I was able to reproduce this problem in a VM where the certificate assigned to the Exchange services had expired. The only problem is: How do you change the certificate without EAC or EMS?

The easiest way is probably to simply delete the certificate, as it has expired anyway. The certificate can be removed via MMC:

10

To delete the certificate, add the "Certificates" snap-in to the MMC and connect it to the local computer. The corresponding certificates are then displayed under "My certificates". The certificate that has expired can be identified here. In my test environment, these are all certificates, but only the highlighted one is assigned to the Exchange services.

After the certificate has been deleted, the Exchange 2013 Service Pack 1 setup must be restarted. The setup recognizes an incomplete installation and continues the setup:

11,

Now the setup is also running. EAC and EMS start again. After the setup, a new certificate must be issued for the Exchange services. I have described here how a certificate can be issued by an internal CA for Exchange 2013:

https://www.frankysweb.de/exchange-2013-san-zertifikat-und-interne-zertifizierungsstelle-ca/

Before installing SP1 for Exchange 2013, you should check whether all certificates are valid.

2 thoughts on “Exchange 2013: Abgelaufene Zertifikate und Service Pack 1 (Vorsicht!)”

  1. Hallo,
    aber das Zertifikat ist doch noch bis 19.03.2019 gültig! Oder passt der Screenshot nicht zum Problem!

    MFG

    Reply

    • Hallo,
      doch das Zertifikat ist abgelaufen, denn meine Testumgebung ist der Zeit weit voraus. Dort schreiben wir bereits das Jahr 2020 :-)
      Ich hatte zur Demonstration das Datum geändert…

      Gruß, Frank

      Reply

Leave a Comment