SEP 14.3.x

SQLExpress 

The certificate is missing the private key after attempting to import it in mmc certificate snap in console as described in Update the server certificate on the management server without breaking communications with the client

1.To create and auto import the new certificate into the personal keystore/local computer, use PowerShell to execute the command below: (change COMPUTERNAME to match your SEPM name)

New-SelfSignedCertificate -Type SSLServerAuthentication -Subject "CN=$env:COMPUTERNAME" -DnsName "$env:COMPUTERNAME",'localhost.' -KeyAlgorithm "RSA" -KeyLength 2048 -Hash "SHA256" -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" -NotAfter (Get-Date).AddMonths(144) -KeySpec KeyExchange -Provider "Microsoft RSA SChannel Cryptographic Provider"

2. Open MMC, load certificate snap in for computer

3. Right click on the newly imported certificate and select All Tasks > Manage Private Key

4. Add `read` permissions for user NT Service\MSSQL$SQLEXPRESSSYMC (this is the same as the "log on as" user for the SQL Server service) 

5. Restart the SQL service

6. Restart all three SEPM services

7. Open the SEPM console and verify functionality