I had an issue applying CU9 for Exchange 2019 and as it took a while to sort I thought I would post to share how I resolved it in case it helps anyone else.

The CU failed at Step 8 of 10 Mailbox role: Client Access Front End service with the following error:

Step 8 of 10 Mailbox role: Client Access Front End service:
Error:
The following error was generated when "$error.Clear();
Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
" was run: "Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleUnauthorizedAccessException: Insufficient rights to grant Network Service access to the certificate with thumbprint

As the server was in maintenance mode I was unable to launch the EMS. The server is a Windows 2019 server core box so no MMC to launch the certificate snap-in.

Having bashed my head against a brick wall trying to adjust permissions with powershell I went with the following solution.

First off - full credit to  Rhoderick Milne  and his excellent blog post Exchange Setup – Certificate Is Expired – Part Deux – 250 Hello (rmilne.ca) that provided me with some helpful tips to get around the problem.

2nd - our cert is a 3rd party cert and the healthchecker script that MS provides reports no issues.

So what I had to do. The solution was to swap out the 3rd party cert for a self signed cert created via the EMS to allow the installation to complete. Once done, I swapped back to my normal 3rd party cert.

With no EMS I needed the Exchange powershell snapin **as Rhoderick points out this is not supported but it worked for me

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

With the exchange snap-in loaded I was then able to create a new self-signed certificate

New-ExchangeCertificate -Services SMTP

and then 

Enable-ExchangeCertificate -Services IIS -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXX

With the new cert in place I was then able to complete the update and take the server out of maintenance mode.

Final step was to put the IIS and SMTP services back on the original certificate.

Before I found the blog post, I had logged a call with MS but they just told me to fix the certificate and then retry the update without telling me how to fix the cert! 

It would be great if CUs added the cert check to the prereqs check and ideally offer to fix the cert permissions problem - still haven't found a way to check and verify the permissions a CU wants but hopefully this workaround will help someone else from bashing their head against the desk.