question

JB-2462 avatar image
0 Votes"
JB-2462 asked ·

Accidentally deleted RSA Machine key from one cluster member

We accidentally deleted the key 4f692a7dc1b824e1f679f93fadd08a3b-[Machine-GUID] off a cluster member inside C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. It wasn't protected by a backup, but this key is on all the other cluster members, and appears to be a well-known cluster key identifier, as it's on all of our clusters. We'd like to export the certificate with key from a different cluster member, but can't seem to find a certificate that corresponds to that key in any view (local computer, service\cluster, service\SMB Witness). At character # 40, the name of the key seems to be 'ClusterSecret-BLOB' We did successfully export and import the ClusInfraCert certificate with key, but this appears to be separate from that.

windows-server-clustering
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

XiaoweiHe-MSFT avatar image
0 Votes"
XiaoweiHe-MSFT answered ·

Hi,

I checked the folderC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys in my cluster, it seems the key in each node is different. Below is the example in my lab.

Node 1:

73240-image.png

Node 2:

73255-image.png

If you worry about the missing key will cause corruption to the cluster, we may try to evict the node from the cluster then re-add it into the cluster, check if the certificate will be reissued.

Thanks for your time!
Best Regards,
Anne


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (32.4 KiB)
image.png (39.4 KiB)
· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Anne,

I built it up in a lab, and evicting and re-joining did add the key back. It's, that second key you have, 4f692a7dc1b824e1f679f93fadd08a3b, then the last part is the particular machine in the cluster's GUID.

thank you.

0 Votes 0 ·

You are welcome! :)

0 Votes 0 ·