Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate

Network Controller uses a single certificate for northbound communication with REST clients (like System Center Virtual Machine Manager) and southbound communication with Hyper-V hosts and Software Load Balancers. A customer may wish to change this certificate after initial deployment, maybe because the certificate has expired or maybe because he wants to move from self-signed certificate to certificates issued by a Certificate Authority. Currently, the workflow to update certificates is broken if you are using System Center Virtual Machine Manager. This will be fixed in an upcoming release. For now, please follow the steps below to update the Network Controller Server certificate.

NOTE: These steps are not required if you are renewing the existing certificate with the same key.

Steps to update the Network Controller Server certificate

  1. Install the new certificate in Personal store of LocalMachine account on a Network Controller node
  2. Export the certificate with private key and import it on the other Network Controller nodes (to ensure that the same certificate is provisioned on all the nodes)
  3. DO NOT remove the old certificate from the Network Controller nodes
  4. Update the server certificate using the Powershell command:

                   Set-NetworkController -ServerCertificate <new cert>

  1. Update the certificate used for encrypting the credentials stored in the Network Controller using the Powershell command:

                   Set-NetworkControllerCluster -CredentialEncryptionCertificate <new cert>

  1. You will also need to update the certificate used for southbound authentication with Hyper-V hosts and Software Load Balancer MUX virtual machines. To update this, follow steps 7 to 9.
  2. Retrieve a Server REST resource using the Powershell command:

                  Get-NetworkControllerServer -ConnectionUri <REST uri of your deployment>

  1. In the Server REST resource, navigate to the “Connections” object and retrieve the Credential resource with type “X509Certificate”
           "Connections": [
                           {
                            "ManagementAddresses":[ “contoso.com" ],
                            "CredentialType":  "X509Certificate",
                            "Protocol":  null,
                            "Port":  null,
                            "Credential":{
                                         "Tags":  null,
                                         "ResourceRef":  "/credentials/41229069-85d4-4352-be85-034d0c5f4658",
                                         "InstanceId":  "00000000-0000-0000-  0000-000000000000",
                                          
                                          
                                         }
                            } 
                           ]
  1. Update the Credential REST resource retrieved above with the thumbprint of the new certificate
            $cred=New-Object Microsoft.Windows.Networkcontroller.credentialproperties
            $cred.type="X509Certificate"
            $cred.username=""
            $cred.value="<thumbprint of the new certificate>"
            New-NetworkControllerCredential -ConnectionUri <REST uri of the deployment> -ResourceId 41229069-            85d4-4352-be85-034d0c5f4658 -Properties $cred 
  1. If the new certificate is a self-signed certificate, provision the certificate (without the private key) in the Trusted Root certificate store of all the Hyper-V hosts and Software Load Balancer MUX virtual machines. This is to ensure that the certificate presented by Network Controller is trusted by the southbound devices. If the certificate is not self-signed, ensure that the Certificate Authority that issued the certificate is also trusted by the Hyper-V hosts and the Software Load Balancer MUX virtual machines.
  2. System Center Virtual Machine Manager (SCVMM) also must be updated to use the new certificate. On the SCVMM machine, execute the following Powershell command:
        Set-SCNetworkService -ProvisionSelfSignedCertificatesforNetworkService $true -Certificate $cert 
        -NetworkService $svc

         Where NetworkService is the Network Controller service,
         Certificate is the new Network Controller certificate, and
         ProvisionSelfSignedCertificatesforNetworkService is $true if you are using a self-signed certificate
  1. Provision the Network Controller certificate (without the private key) in the Trusted Root certificate store of the SCVMM machine

After you have verified that the connectivity is working fine, you can go ahead and remove the old Network Controller certificate from the Network Controller nodes.