Update the network controller server certificate
Important
This version of Virtual Machine Manager (VMM) has reached the end of support. We recommend you to upgrade to VMM 2022.
Network controller (NC) uses a certificate for Northbound communication with REST clients, such as VMM, and Southbound communication with Hyper-V hosts and software load balancers.
You can change or update this certificate in the following scenarios after you deploy the NC.
The certificate has expired
You want to move from a self-signed certificate to a certificate that is issued by a certificate authority (CA).
Note
If you renew the existing certificate with the same key, these steps are not required.
Before you start
Ensure that you create a new SSL certificate with the existing network controller's REST name. Learn more.
Update the server certificate
If the certificate is self-signed, do the following:
- Certificate with private key - Export the certificate and import it on all the NC nodes' My store.
- Certificate without a private key - Export the certificate and import it on all the NC nodes' Root store.
If the certificate is a CA issued certificate, import it in all network controller nodes' My store.
Note
DO NOT remove the current certificate from the NC nodes. You should validate the updated certificate before you remove the existing one. Proceed with the rest of the steps to update the certificate.
Update the server certificate by executing the following PowerShell command on one of the NC nodes.
$certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -eq “Thumbprint of new certificate”} Set-NetworkController -ServerCertificate $certificateUpdate the certificate used for encrypting the credentials stored in the NC by executing the following command on one of the NC nodes.
$certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -eq “Thumbprint of new certificate”} Set-NetworkControllerCluster -CredentialEncryptionCertificate $certificateRetrieve a server REST resource by executing the following PowerShell command on one of the NC nodes.
Get-NetworkControllerServer -ConnectionUri <REST uri of your deployment>In the Server REST resource, navigate to the Credentials object and check the credential of type X509Certificate with a value matching your certificate's thumbprint. Note the credential resource ID.
"Connections": { { "ManagementAddresses":[ “contoso.com" ], "CredentialType": "X509Certificate", "Protocol": null, "Port": null, "Credential": { "Tags": null, "ResourceRef": "/credentials/<credential resource Id>, "InstanceId": "00000000-0000-0000-0000-000000000000", … … } } }Update the credential REST resource of type X509Certificate retrieved above with the thumbprint of the new certificate.
Execute this PowerShell cmdlet on any of the NC nodes.
$cred=New-Object Microsoft.Windows.Networkcontroller.credentialproperties $cred.type="X509Certificate" $cred.username="" $cred.value="<thumbprint of the new certificate>" New-NetworkControllerCredential -ConnectionUri <REST uri of the deployment> -ResourceId <credential resource Id> -Properties $credIf the new certificate is a self-signed certificate, provision the certificate (without the private key) in the trusted root certificate store of all the Hyper-V hosts and software load balancer MUX virtual machines.
Provision the NC certificate (without the private key) in the trusted root certificate store of the VMM machine using the following PowerShell cmdlet:
$certificate = Get-SCCertificate -ComputerName "NCRestName" $networkservice = Get-SCNetworkService | Where {$_.IsNetworkController -eq $true} Set-SCNetworkService -ProvisionSelfSignedCertificatesforNetworkService $true -Certificate $certificate -NetworkService $networkservice- NetworkService is the network controller service, Certificate is the new NC server certificate.
- ProvisionSelfSignedCertificatesforNetworkService is $true if you're updating to a self-signed certificate.
Verify that the connectivity is working fine with the updated certificate.
You can now remove the previous certificate from the NC nodes.
Next steps
Validate the NC deployment to ensure that the deployment is successful.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for