更新網路控制站伺服器憑證Update the network controller server certificate

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

網路控制站 (NC) 使用的憑證可供與 REST 用戶端 (例如 VMM) 進行北向 (Northbound) 通訊,以及與 Hyper-V 主機與軟體負載平衡器進行南向 (Southbound) 通訊。Network controller (NC) uses a certificate for Northbound communication with REST clients (such as VMM) and Southbound communication with Hyper-V hosts and software load balancers.

您可以在部署 NC 之後,在下列案例中變更或更新這個憑證。You can change or update this certificate in the following scenarios, after you deploy the NC.

  • 憑證已過期The certificate has expired

  • 您想要從自我簽署憑證改為使用憑證授權單位 (CA) 所簽發的憑證。You want to move from a self-signed certificate to a certificate that is issued by a certificate authority (CA).

    注意

    如果您使用相同的金鑰來更新現有的憑證,則不需要這些步驟。If you renew the existing certificate with the same key, these steps are not required.

在您開始使用 Intune 之前Before you start

請確定您使用現有網路控制站的 REST 名稱來建立新的 SSL 憑證。Make sure you create a new SSL certificate with existing network controller's REST name. 進一步瞭解Learn more.

更新伺服器憑證Update the server certificate

  1. 如果是自我簽署憑證,請執行下列作業:If the certificate is self-signed, do the following:

    • 有私密金鑰的憑證:匯出憑證並將其匯入所有 NC 節點的 My 存放區中。Certificate with private key - Export the certificate and import it on all the NC nodes' My store.
    • 沒有私密金鑰的憑證:匯出憑證並將其匯入所有 NC 節點的 Root 存放區中。Certificate without a private key - Export the certificate and import it on all the NC nodes' Root store.
  2. 若憑證是 CA 簽發的憑證,請將其匯入所有網路控制卡節點的 My 存放區中。If the certificate is a CA issued certificate, import it in all network controller nodes' My store.

    注意

    不要從 NC 節點移除目前的憑證。DO NOT remove the current certificate from the NC nodes. 您應該先驗證更新的憑證,再移除現有憑證。You should validate the updated certificate before you remove the existing one. 繼續進行其餘步驟,以更新憑證。Proceed with rest of the steps to update the certificate.

  3. 在其中一個 NC 節點上,執行下列 PowerShell 命令以更新伺服器憑證。Update the server certificate by executing the following PowerShell command on one of the NC nodes.

    
    $certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -eq “Thumbprint of new certificate”}
    Set-NetworkController -ServerCertificate $certificate
    
  4. 在其中一個 NC 節點上執行下列命令,以更新用來加密 NC 中所儲存認證的憑證。Update the certificate used for encrypting the credentials stored in the NC by executing the following command on one of the NC nodes.

    
    $certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -eq “Thumbprint of new certificate”}
    Set-NetworkControllerCluster -CredentialEncryptionCertificate $certificate
    
  5. 在其中一個 NC 節點上,執行下列 PowerShell 命令以擷取伺服器 REST 資源。Retrieve a server REST resource by executing the following PowerShell command on one of the NC nodes.

    
    Get-NetworkControllerServer -ConnectionUri <REST uri of your deployment>
    
  6. 在伺服器 REST 資源中,瀏覽到 Credentials 物件,並檢查認證類型 X509Certificate 的值是否符合憑證的指紋。In the Server REST resource, navigate to the Credentials object and check the credential of type X509Certificate with a value matching your certificate's thumbprint. 請注意認證資源識別碼。Note the credential resource ID.

    
    "Connections":
    {
       {
          "ManagementAddresses":[ “contoso.com" ],                  
          "CredentialType":  "X509Certificate",
          "Protocol":  null,
          "Port":  null,
          "Credential": {
                            "Tags":  null,
                            "ResourceRef":  "/credentials/<credential resource Id>,
                            "InstanceId":  "00000000-0000-0000-0000-000000000000",
                            …
                            …
                         }
        }   
    }
    
  7. 使用新憑證的指紋,更新上面所擷取 X509Certificate 類型的認證 REST 資源。Update the credential REST resource of type X509Certificate retrieved above with the thumbprint of the new certificate.

    任何 NC 節點上執行這些 PowerShell Cmdlet。Execute these PowerShell cmdlet on any of the NC Node.

    
    $cred=New-Object Microsoft.Windows.Networkcontroller.credentialproperties
    $cred.type="X509Certificate"
    $cred.username=""
    $cred.value="<thumbprint of the new certificate>"
    New-NetworkControllerCredential -ConnectionUri <REST uri of the deployment> -ResourceId <credential resource Id> -Properties
    $cred
    
  8. 如果新憑證為自我簽署憑證,請在所有 Hyper-V 主機與軟體負載平衡器 MUX 虛擬機器的受信任根憑證存放區佈建該憑證 (不含私密金鑰)。If the new certificate is a self-signed certificate, provision the certificate (without the private key) in the trusted root certificate store of all the Hyper-V hosts and software load balancer MUX virtual machines.

  9. 使用下列 PowerShell Cmdlet,在 VMM 機器的受信任根憑證存放區中,佈建 NC 憑證 (不含私密金鑰):Provision the NC certificate (without the private key) in the trusted root certificate store of the VMM machine using the following PowerShell cmdlet:

    $certificate = Get-SCCertificate -ComputerName "NCRestName"
    $networkservice = Get-SCNetworkService | Where {$_.IsNetworkController -eq $true}
    Set-SCNetworkService -ProvisionSelfSignedCertificatesforNetworkService $true -Certificate
    $certificate -NetworkService $networkservice
    
    • NetworkService 是網路控制站服務,Certificate 則是新的 NC 伺服器憑證。NetworkService is the network controller service, Certificate is the new NC server certificate.
    • 如果您正在更新為自我簽署憑證,則 ProvisionSelfSignedCertificatesforNetworkService$trueProvisionSelfSignedCertificatesforNetworkService is $true if you are updating to a self-signed certificate.
  10. 確認連線可以使用更新的憑證正常運作。Verify that the connectivity is working fine with the updated certificate.

    您現在可以從 NC 節點移除先前的憑證。You can now remove the previous certificate from the NC nodes.

    後續步驟Next steps

    驗證 NC 部署以確保部署成功。Validate the NC deployment to ensure that the deployment is successful.