The certificate for SEPM has expired and needs to be updated. 

After updating the certificate through the SEPM, the SQL Express Service fails to start. You can no longer log into the SEPM. 

Error in the system log (scm-server-0.log):

java.sql.SQLException: Cannot create PoolableConnectionFactory (The TCP/IP connection to the host <hostname>, port 2638 has failed. Error: "Connection refused: connect. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.".)

Error in the SQL log (ERRORLOG.log):

The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030d. Check certificates to make sure they are valid.

When trying to start the SQL service:

Windows could not start the SQL Server (SQLEXPRESSSYMC) on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -214689528.

14.3 RU8 SEPM 

The permissions for the certificate are lacking the account NT SERVICE\MSSQL$SQLEXPRESSSYMC

1. Access the Windows certificate manager mmc through Start - Run - certmgr

2. Expand Personal - Certificates

3. Right-click the certificate in question - All Tasks - `Manage Private Keys...`

4. Check whether the SQL Express account is listed and has Read permissions. 

5. If it is missing, hit Add

6. Enter the account NT SERVICE\MSSQL$SQLEXPRESSSYMC and hit OK

7. Configure the account with Read permissions, hit OK

8. Start the SQL Express Service. 

Follow the directions in the article below as needed to complete updating the certificate.

Updating or restoring a server certificate