This article is contributed. See the original author and article here.

To keep Service Fabric cluster running the old certificate are needed to be replaced with new certificates the below steps can help you rotate the old certificate with new certificates. This article assumes you are running cluster with thumbprint approach. In general the common name approach is recommended for easy certificate management. More information about certificate on Standalone cluster refer to Secure a cluster on Windows by using certificates – Azure Service Fabric | Microsoft Docs


Service Fabric with certificates that aren’t expired (cluster running with near expiry or non-expired certificates) 


Important Note: Before you change below config, you should install all certificate on all nodes i.e. New certificate should be present and acled to Network Service before you start this operation on all nodes.


 


1. Open the Clusterconfig.json file for editing, and find the following section. If a secondary thumbprint is defined, you need to clean up old Service Fabric certificates before you go any further. i.e. trigger an upgrade to remove secondary certificate section first.  


 

"security": {
    "metadata":  "The Credential type X509 indicates this cluster is secured using X509 Certificates. 
    The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",
    "ClusterCredentialType":  "X509",
    "ServerCredentialType":  "X509",
    "CertificateInformation":  {
        "ClusterCertificate":  {
                                   "X509StoreName":  "My",
                                    "Thumbprint": "*Old server thumbprint(Star/SF)*"
                               },
        "ServerCertificate":   {
                                    "X509StoreName":  "My",
 									"Thumbprint": "*Old server thumbprint(Star/SF)*"
                               },
        "ClientCertificateThumbprints":  [
                                   {
                                        "CertificateThumbprint": "*Old client thumbprint*",
                                        "IsAdmin":  true
                                   }
                                         ]
                               }
            },

 


     


2.  Replace that section in the file with following section.


 


 

"security":  {
    "metadata":  "The Credential type X509 indicates this cluster is secured using X509 Certificates. 
    The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",
    "ClusterCredentialType":  "X509",
    "ServerCredentialType":  "X509",
    "CertificateInformation":  {
        "ClusterCertificate":  {
                                   "X509StoreName":  "My",
                                    "Thumbprint": "*New server thumbprint(Star/SF)*",
                                    "ThumbprintSecondary": "Old server thumbprint(Star/SF)"
                               },
        "ServerCertificate":   {
                                    "X509StoreName":  "My",
 									"Thumbprint": "*New server thumbprint(Star/SF)*",
                                    "ThumbprintSecondary": "Old server thumbprint(Star/SF)"
                               },
        "ClientCertificateThumbprints":  [
                                   {
                                        "CertificateThumbprint": "*Old client thumbprint*",
                                        "IsAdmin":  false
                                   },
                                   {
                                        "CertificateThumbprint": "*New client thumbprint*",
                                        "IsAdmin":  true
                                   }
                                         ]
                               }
            },

 


 


3. Edit the new and old thumbprint values.

4. Change clusterConfigurationVersion to the new version, for example 2.0.0.

{
"name": "myclustername",
"clusterConfigurationVersion": "2.0.0",

5. Save the new ClusterConfig.json file.


6. Run the following PowerShell command. 

# Connect to the Service Fabric cluster
Connect-ServiceFabricCluster

# Get path of ClusterConfig.json for following command
# Note that after running the following command, you need to manually cancel using the red button (Stop Operation) in Windows PowerShell ISE or Ctrl+C in Windows PowerShell, otherwise you will receive the following notification, "Start-ServiceFabricClusterConfigurationUpgrade : Operation timed out.". Be aware that the upgrade will proceed.
Start-ServiceFabricClusterConfigurationUpgrade -ClusterConfigPath ClusterConfig.json

# To monitor the status of the upgrade, run the following 
Get-ServiceFabricClusterUpgrade

 

Clean up steps: 


Once above upgrade have been completed you have to trigger another upgrade to remove the old thumbprint which is secondary now. Post this cluster is ready to use. Remove the old/secondary thumbprints from the cluster configuration. After you’ve removed them, the appropriate section should resemble the following example.


rototatefinal.PNG


 



Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.