Professional Documents
Culture Documents
Server & Tools Blogs > Server & Management Blogs > Networking Blog
Sign in
Networking Blog
Windows Networking support team and Product team blog
Share 11 0 0
Network Controller uses a single certificate for northbound communication with REST clients (like System Center
Virtual Machine Manager) and southbound communication with Hyper-V hosts and Software Load Balancers. A
customer may wish to change this certificate after initial deployment, maybe because the certificate has expired
or maybe because he wants to move from self-signed certificate to certificates issued by a Certificate Authority.
Currently, the workflow to update certificates is broken if you are using System Center Virtual Machine Manager.
This will be fixed in an upcoming release. For now, please follow the steps below to update the Network
Controller Server certificate.
NOTE: These steps are not required if you are renewing the existing certificate with the same key.
1. Install the new certificate in Personal store of LocalMachine account on a Network Controller node
2. Export the certificate with private key and import it on the other Network Controller nodes (to ensure that
the same certificate is provisioned on all the nodes)
3. DO NOT remove the old certificate from the Network Controller nodes
4. Update the server certificate using the Powershell command:
5. Update the certificate used for encrypting the credentials stored in the Network Controller using the
Powershell command:
6. You will also need to update the certificate used for southbound authentication with Hyper-V hosts and
Software Load Balancer MUX virtual machines. To update this, follow steps 7 to 9.
https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 1/4
8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog
8. In the Server REST resource, navigate to the “Connections” object and retrieve the Credential resource with
type “X509Certificate”
"Connections": [
{
"ManagementAddresses":[ “contoso.com" ],
"CredentialType": "X509Certificate",
"Protocol": null,
"Port": null,
"Credential":{
"Tags": null,
"ResourceRef": "/credentials/41229069-85d4-4352-b
"InstanceId": "00000000-0000-0000- 0000-0000000
…
…
}
}
]
9. Update the Credential REST resource retrieved above with the thumbprint of the new certificate
$cred=New-Object Microsoft.Windows.Networkcontroller.credentialproperties
$cred.type="X509Certificate"
$cred.username=""
$cred.value="<thumbprint of the new certificate>"
New-NetworkControllerCredential -ConnectionUri <REST uri of the deployment> -ResourceId 412
10. If the new certificate is a self-signed certificate, provision the certificate (without the private key) in the
Trusted Root certificate store of all the Hyper-V hosts and Software Load Balancer MUX virtual machines.
This is to ensure that the certificate presented by Network Controller is trusted by the southbound devices.
If the certificate is not self-signed, ensure that the Certificate Authority that issued the certificate is also
trusted by the Hyper-V hosts and the Software Load Balancer MUX virtual machines.
https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 2/4
8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog
11. System Center Virtual Machine Manager (SCVMM) also must be updated to use the new certificate. On the
SCVMM machine, execute the following Powershell command:
12. Provision the Network Controller certificate (without the private key) in the Trusted Root certificate store of
the SCVMM machine
After you have verified that the connectivity is working fine, you can go ahead and remove the old Network
Controller certificate from the Network Controller nodes.
Email Address
Subscribe! Unsubscribe
Recent Posts
Top 10 Networking Features in Windows Server 2019: #5 Network Performance Improvements for Virtual Workloads
August 22, 2018
Top 10 Networking Features in Windows Server 2019: #6 High Performance SDN Gateways August 15, 2018
Top 10 Networking Features in Windows Server 2019: #7 SDN Goes Mainstream August 8, 2018
Top 10 Networking Features in Windows Server 2019: #8 A Faster, Safer Internet August 1, 2018
Tags
802.1X BITS DHCP DHCP Server DirectAccess DNS FTP Hyper-V IPsec IPv4 IPv6 KB
Articles NAP NetBIOS Network Monitor NLA NLB Policies RD Gateway rpc RRAS SDN SMB SNMP
https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 3/4
8/23/2018 Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate | Networking Blog
TCP TS Gateway VMQ VPN WebDAV Windows 7 Windows 2000 Windows DNS Server
Windows Firewall Windows Server Windows Server 2003 Windows
Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows
Server 2012 R2 Windows Server Technical Preview Windows Vista Windows XP
WINS Wireless WS2019Top10
Archives
https://blogs.technet.microsoft.com/networking/2018/03/19/windows-server-2016-software-defined-networking-updating-the-network-controller-server-… 4/4