Managing Certificates

 

Updated: October 17, 2012

Applies To: Service Bus for Windows Server 1.0

Several cmdlets are available for managing the certificates that secure communications for the Service Bus for Windows Server.

Anytime you plan to set or change any of the certificates for a farm, you must first stop all of the nodes in the farm using the Stop-SBHost cmdlet, then restart each node using the Start-SBHost cmdlet to load the new configuration.

The Service Bus for Windows Server farm certificate secures internal communications between nodes in the farm. The outbound signing certificate secures communications between Service Bus for Windows Server installations. You can use the Set-SBCertificate cmdlet to change the certificate after the computer joins a farm.

This cmdlet has the following format:

Set-SBCertificate [-SBFarmDBConnectionString <string>] [-FarmCertificateThumbprint <string>] [-EncryptionCertificateThumbprint <string>] [-SkipKeyReEncryption] [-IgnoreEncryptionError] 

You can find the detailed description of this cmdlet and its parameters in the Service Bus for Windows Server reference guide.

The Update-SBHost cmdlet propagates any changes in farm certificates made with the Set-SBCertificate to each machine in a farm. Use the following procedure:

  1. Install the new certificate on all the farm machines and get the thumbprint.

  2. Call Stop-SBFarm –Verbose

  3. Call the Set-SBCertificate cmdlet with the new certificate thumbprint and with –SkipKeyReEncryption flag. For example if the new certificate thumbprint is ‘CertificateThumbPrint’.

    Call Set- SBCertificate – FarmCertificateThumbprint “newcert” –SkipKeyReEncryption
    
  4. Update the certificates on each machine in the farm by running Update-SBHost.

  5. Update the namespaces to use the new certificate by calling:

    Set-SBNamespace –Name -PrimarySymmetricKey
    
  6. Restart each machine in the farm by running Start-SBFarm -Verbose.

Call the Set-SBCertificateAutoGenerationKey cmdlet to change the key used for encrypting auto-generated certificates. This cmdlet regenerates the certificate authority and certificates.

Set-SBCertificateAutogenerationKey [-IgnoreEncryptionError [<SwitchParameter>]] [-LastCertificateThumbprint
<String>] [-SBFarmDBConnectionString <String>] -Key <SecureString>

Use this cmdlet to replace the certificate that was automatically generated when you created a Service Bus for Windows Server farm. This is useful if you have forgotten the key used to create the auto-generated certificate.

If you have previously copied the certificate authority to your client machines, because this cmdlet re-generated it you must retrieve it using the Get-SBAutogeneratedCA cmdlet, and then copy it to your client machines.

The Get-SBFarm cmdlet displays the configuration information from the certificates described in this section. This cmdlet has the following format:

Get-SBFarm -SBFarmDBConnectionString :< connectionstring>

The following table describes the options for this cmdlet.

Option

Effect

–SBFarmDBConnectionString <connectionstring>

Specifies the connection string. An example of a connection string for the SQL Server instance that stores the farm configuration: “Data Source=localhost;Initial Catalog=AppFabricManagementDB;Integrated Security=True”

The Get-SBFarmStatus cmdlet returns the status of Service Bus for Windows Server services in all of the Service Bus for Windows Server farm’s hosts.

Show: