Skip navigation
Menu
How can I solve expired self-signed certificate errors with Windows Azure Pack?
Compute Engines

How can I solve expired self-signed certificate errors with Windows Azure Pack?

Q. I'm receiving a 500 error connecting to my Windows Azure Pack portals and the Event Log shows a certificate error, how can I fix this?

A. When Windows Azure Pack is installed by default, it uses a self-signed certificate for the authentication sites (tenant and administration). These certificates last for one year. After that time, they are no longer valid and authentication will fail. If you look in the event logs (MgmtSvc-TenantSite and MgmtSvc-AdminSite) you should see error:

Error:Unhandled exception: SecurityTokenValidationException: Jwt10329: Unable to validate signature, Configuration.IssuerTokenResolver.ResolveToken returned null. jwt.Header.SigningKeyIdentifier: 'SecurityKeyIdentifier

The solution is to create new certificates.

This can be done with PowerShell but you need to know the SQL Server, the username and password and the WAP passphrase:

# SQL Server DNS name
$Server = "sqlserver.domain.net"

# SQL User and Password
$userid = "sa"
$password = "Password"

# PassPhrase which you have defined during install of WAP
$PassPhrase = "PassPhrase"
$NameSpace = "AuthSite" 

# Get current signing certificate thumbprint
$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint
$oldThumbprint = $setting.Value

# Remove the old certificate from the global config store
$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false

# 3. Re-initialize the authentication service to generate a new signing certificate and reconfigure
Initialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose
$NameSpace = "WindowsAuthSite" 

# Get current signing certificate thumbprint
$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint
$oldThumbprint = $setting.Value

# Remove the old certificate from the global config store
$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false

# Re-initialize the authentication service to generate a new signing certificate and reconfigure
Initialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose

Note that this would have to be repeated every year. A better approach is to use certificates from your enterprise CA. This is documented at http://blogs.technet.com/b/privatecloud/archive/2013/12/10/windows-azure-pack-reconfigure-portal-names-ports-and-use-trusted-certificates.aspx.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023