Windows Server 2016 Software Defined Networking: Updating the Network Controller Server certificate

First published on TECHNET on Mar 19, 2018
Network Controller uses a single certificate for northbound communication with REST clients (like System Center Virtual Machine Manager) and southbound communication with hosts and Software Load Balancers. A customer may wish to change this certificate after initial deployment, maybe because the certificate has expired or maybe because he wants to move from self-signed certificate to certificates issued by a Certificate Authority. Currently, the workflow to update certificates is broken if you are using System Center Virtual Machine Manager. This will be fixed in an upcoming release. For now, please follow the steps below to update the Network Controller Server certificate.NOTE: These steps are not required if you are renewing the existing certificate with the same key.

Steps to update the Network Controller Server certificate

  1. Install the new certificate in Personal store of LocalMachine account on a Network Controller node
  2. Export the certificate with private key and import it on the other Network Controller nodes (to ensure that the same certificate is provisioned on all the nodes)
  3. DO NOT remove the old certificate from the Network Controller nodes
  4. Update the server certificate using the Powershell command:

  1. Update the certificate used for encrypting the credentials stored in the Network Controller using the Powershell command:

  1. You will also need to update the certificate used for southbound with hosts and Software MUX . To update this, follow steps 7 to 9.
  2. Retrieve a Server REST resource using the Powershell command:

  1. In the Server REST resource, navigate to the “Connections” object and retrieve the Credential resource with type “X509Certificate”

“Connections”: [
“ManagementAddresses”:[ “” ],
“CredentialType”:  “X509Certificate”,
“Protocol”:  null,
“Port”:  null,
“Tags”:  null,
“ResourceRef”:  “/credentials/41229069-85d4-4352-be85-034d0c5f4658”,
“InstanceId”:  “00000000-0000-0000-  0000-000000000000”,


  1. Update the Credential REST resource retrieved above with the thumbprint of the new certificate

$cred = New-Object Microsoft.Windows.Networkcontroller.credentialproperties
$cred .type= “X509Certificate”
$cred .username= “”
$cred .value=

  1. If the new certificate is a self-signed certificate, provision the certificate (without the private key) in the Trusted Root certificate store of all the hosts and Software MUX . This is to ensure that the certificate presented by Network Controller is trusted by the southbound devices. If the certificate is not self-signed, ensure that the Certificate Authority that issued the certificate is also trusted by the Hyper-V hosts and the Software MUX .
  2. System Center Virtual Machine Manager (SCVMM) also must be updated to use the new certificate. On the SCVMM machine, execute the following Powershell command:

Set-SCNetworkService -ProvisionSelfSignedCertificatesforNetworkService $true -Certificate $cert
-NetworkService $svc

Where NetworkService is the Network Controller service,
Certificate is the new Network Controller certificate, and
ProvisionSelfSignedCertificatesforNetworkService is $true if you are using a self-signed certificate

  1. Provision the Network Controller certificate (without the private key) in the Trusted Root certificate store of the SCVMM machine

After you have verified that the connectivity is working fine, you can go ahead and remove the old Network Controller certificate from the Network Controller nodes.


This article was originally published by Microsoft's Networking Blog. You can find the original article here.