8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog

Server & Tools Blogs > Server & Management Blogs > Networking Blog
Sign in

Networking Blog
Windows Networking support team and Product team blog

Windows Server 2016 Software Defined Networking:

Updating the Network Controller Server certificate
★
★★★★
★★
★★★★★
★★★

March 19, 2018 by AnirbanPaul // 0 Comments

Share 11 0 0

Network Controller uses a single certificate for northbound communication with REST clients (like System Center
Virtual Machine Manager) and southbound communication with Hyper-V hosts and Software Load Balancers. A
customer may wish to change this certificate after initial deployment, maybe because the certificate has expired
or maybe because he wants to move from self-signed certificate to certificates issued by a Certificate Authority.
Currently, the workflow to update certificates is broken if you are using System Center Virtual Machine Manager.
This will be fixed in an upcoming release. For now, please follow the steps below to update the Network
Controller Server certificate.

NOTE: These steps are not required if you are renewing the existing certificate with the same key.

Steps to update the Network Controller Server certificate

1. Install the new certificate in Personal store of LocalMachine account on a Network Controller node
2. Export the certificate with private key and import it on the other Network Controller nodes (to ensure that
the same certificate is provisioned on all the nodes)

3. DO NOT remove the old certificate from the Network Controller nodes
4. Update the server certificate using the Powershell command:

                   Set-NetworkController -ServerCertificate <new cert>

5. Update the certificate used for encrypting the credentials stored in the Network Controller using the
Powershell command:

                   Set-NetworkControllerCluster -CredentialEncryptionCertificate <new cert>

6. You will also need to update the certificate used for southbound authentication with Hyper-V hosts and
Software Load Balancer MUX virtual machines. To update this, follow steps 7 to 9.

https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 1/4
8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog

7. Retrieve a Server REST resource using the Powershell command:

                  Get-NetworkControllerServer -ConnectionUri <REST uri of your deployment>

8. In the Server REST resource, navigate to the “Connections” object and retrieve the Credential resource with
type “X509Certificate”

           "Connections": [
{
"ManagementAddresses":[ “contoso.com" ],
"CredentialType":  "X509Certificate",
"Protocol":  null,
"Port":  null,
"Credential":{
"Tags":  null,
"ResourceRef":  "/credentials/41229069-85d4-4352-b
"InstanceId":  "00000000-0000-0000-  0000-0000000
…
…
                    }
}
]

9. Update the Credential REST resource retrieved above with the thumbprint of the new certificate

            $cred=New-Object Microsoft.Windows.Networkcontroller.credentialproperties
            $cred.type="X509Certificate"
           $cred.username=""
           $cred.value="<thumbprint of the new certificate>"
            New-NetworkControllerCredential -ConnectionUri <REST uri of the deployment> -ResourceId 412

10. If the new certificate is a self-signed certificate, provision the certificate (without the private key) in the
Trusted Root certificate store of all the Hyper-V hosts and Software Load Balancer MUX virtual machines.
This is to ensure that the certificate presented by Network Controller is trusted by the southbound devices.
If the certificate is not self-signed, ensure that the Certificate Authority that issued the certificate is also
trusted by the Hyper-V hosts and the Software Load Balancer MUX virtual machines.
https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 2/4
8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog

11. System Center Virtual Machine Manager (SCVMM) also must be updated to use the new certificate. On the
SCVMM machine, execute the following Powershell command:

   Set-SCNetworkService -ProvisionSelfSignedCertificatesforNetworkService $true -Certificate $cert

-NetworkService $svc

Where NetworkService is the Network Controller service,

        Certificate is the new Network Controller certificate, and
        ProvisionSelfSignedCertificatesforNetworkService is $true if you are using a self-signed certificate

12. Provision the Network Controller certificate (without the private key) in the Trusted Root certificate store of
the SCVMM machine

After you have verified that the connectivity is working fine, you can go ahead and remove the old Network
Controller certificate from the Network Controller nodes.

Subscribe Blog via Email

Subscribe to this blog and receive notifications of new posts by email.

Email Address

Subscribe! Unsubscribe

Recent Posts

Top 10 Networking Features in Windows Server 2019: #5 Network Performance Improvements for Virtual Workloads
August 22, 2018
Top 10 Networking Features in Windows Server 2019: #6 High Performance SDN Gateways August 15, 2018
Top 10 Networking Features in Windows Server 2019: #7 SDN Goes Mainstream August 8, 2018
Top 10 Networking Features in Windows Server 2019: #8 A Faster, Safer Internet August 1, 2018

Tags

802.1X BITS DHCP DHCP Server DirectAccess DNS FTP Hyper-V IPsec IPv4 IPv6 KB

Articles NAP NetBIOS Network Monitor NLA NLB Policies RD Gateway rpc RRAS SDN SMB SNMP
https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 3/4
8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog

TCP TS Gateway VMQ VPN WebDAV Windows 7 Windows 2000 Windows DNS Server
Windows Firewall Windows Server Windows Server 2003 Windows
Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows
Server 2012 R2 Windows Server Technical Preview Windows Vista Windows XP
WINS Wireless WS2019Top10

Archives

August 2018 (4)

July 2018 (2)
May 2018 (2)
April 2018 (1)
March 2018 (1)
December 2017 (7)
November 2017 (2)
August 2017 (1)
All of 2018 (10)
All of 2017 (18)
All of 2016 (10)
All of 2015 (22)
All of 2014 (8)
All of 2013 (18)
All of 2012 (5)
All of 2011 (37)
All of 2010 (61)
All of 2009 (57)
All of 2008 (86)
All of 2007 (17)

Tags certificates Network Controller SDN Windows Server 2016

Join the conversation Add Comment

© 2018 Microsoft Corporation.

Terms of Use Trademarks Privacy & Cookies

https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 4/4