Imagine the anticipation of upgrading your Exchange 2019 on-premises server with a new CU, each step carefully executed, only to hit a roadblock at Step 12: Mailbox role – Client Access Front End service. As the setup grinds to a halt, an unsettling error message appears, signaling a common yet frustrating challenge: Exchange setup fails.

Exchange setup fails with a certificate error

It’s time to decide whether to roll back to a previous state or investigate further to troubleshoot it. I hope this article helps you get back on track quickly. Luckily, the Exchange setup has a routine to continue a failed installation.

I encountered the following error message.

Exchange Setup fails with a Certificate error
Error:
The following error was generated when "$error.Clear(); 
          Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
          {
          Install-AuthCertificate -DomainController $RoleDomainController
          }
        " was run: "Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleUnauthorizedAccessException: Insufficient rights to grant Network Service access to the certificate with thumbprint 2CE1FD66F37E4AB76DEBAC75D92977B6BD2DE3C9. ---> System.UnauthorizedAccessException: Certificate ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, String websiteName, Boolean requireSsl, ITopologyConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

The main reason why the Exchange setup fails is this message.

Insufficient rights to grant Network Service access to the certificate with thumbprint 2CE1FD66F37E4AB76DEBAC75D92977B6BD2DE3C9. ---> System.UnauthorizedAccessException: Certificate ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

There are two reasons for it:

  • The built-in account ‘Network Service’ has not Full Control rights
  • The private key is not exportable.

I use the Letsencrypt certificate with the Win Acme client.

Exchange setup fails: Reason 1:

The built-in Network Service account doesn’t have ‘Full Control’ rights to private keys.

How can I check that?

Use Windows Search and type in ‘cert,’ choose ‘manage computer certificates’

Certifice management store

Choose the certificate in the Personal store, right- click, ‘All Tasks’, Manage Private Keys and check the permissions.

Certifice management store private keys

The ‘Network Service’ should have ‘Full Controll’ rights.

Private Kexs permissions

Exchange Setup fails: Reason 2

If you right-click the certificate, ‘All Tasks,’ ‘Manage Private Keys,’ and get a message, ‘Private key not exportable,’ the acme client marked the certificate. To resolve that, you need to change how the Acme client requests the certificate.

You need to amend the ‘settings.json’ file in your Acme directory.

settings json
acme client privatekeyexportable

Now you need to renew the certificate with the acme-client.

wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" --force

You can force a renewal of the certificate with the above command.

Now, you can successfully install the Exchange Server 2019 CU. Start the Exchange Server 2019 setup.exe again without first rebooting the server. Exchange will show an ‘Incomplete Installation Detected’ message and continue the installation. It should finish without any further errors.

For these unforeseen situations, I highly recommend backing up the server before installing any update for the Exchange Server – in most cases, it is a VM – and making a snapshot.

I had the same situation when I installed CU12 of Exchange Server 2019. Since I didn’t know how to resolve it, I decided to revert the snapshot and have time to investigate the issue

I would love to get some feedback from you. Was this article helpful? Please share your opinion with me in the comment section below. Or, if you prefer a more personal touch, feel free to email me directly at [email protected]. Your thoughts and insights are always appreciated.

Before you go …

I hope the guide on resolving the certificate error during your Exchange setup was helpful. As you consider refining your setup further, you might find it helpful to explore the optimal server choices for a home lab environment. I recommend checking out Best Server for Home Lab, where you can find detailed insights on selecting hardware that meets your specific needs, balancing performance, cost, and energy efficiency. This could be particularly beneficial as you expand or streamline your technical setup.

Full Disclosure

Any purchases made from clicks on links to products on this page may result in an affiliate commission for me. 

Please keep in mind that the quantity or price of items can change at any time.

As an Amazon  Associate, I earn from qualifying purchases.

As an Aliexpress Associate, I earn from qualifying purchases. 

Als Amazon-Partner verdiene ich an qualifizierten Verkäufen

Tech Expert & Blogger


Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.