Change LBD OnPremLocalAgent Certificate

Submitted by Nathan Clouse on 03/17/19.

Last modified: 

03/17/19

Tags: 

LBD has been around for more than a year now. Is it time to replace your servicing certificate?

If you following the instructions from MSFT on how to setup your first cluster, you'll soon be running into one of the issues related certificate lifetime. The scripts from MSFT for self signed certs only creates certs that are good for a year. That means you'll have to cycle some certs out. We're going to outline how to replace the OnPremLocalAgent cert.

  1. Import the new OnPremLocalAgent certificate into all orchestrators into Cert::/Local Computer/My

  2. If using self signed certs

    1. Update your ConfigTemplate.xml to create one and regenerate all VM scripts and push out to each node

  3. If not using self signed certs

    1. Update the ConfigTemplate.xml for each environment with the new thumbprint for the OnPremLocalAgent certificate 

    2. Update the acl.csv in VM directory with the new thumbprint value for the on prem local agent cert 

  4. Run .\Set-CertificateAcls.ps1 from the VM directory for that machine to apply ACLs to the newly imported OnPremLocalAgent certificate on all orchestrators 

  5. Delete the thumb print stored in azure using script

    1. Remove-AzureRmADSpCredential -ServicePrincipalName "00000015-0000-0000-c000-000000000000" -KeyId ΓÇ£xxxΓÇ¥

    2. If you are unsure what value to use for "xxx", run the following to get an error with the value

    3. \Add-CertToServicePrincipal.ps1 -CertificateThumbprint <OnPremLocalAgent Certificate Thumbprint>
  6. Upload new OnPremLocalAgent thumbprint (Step 11 from https://docs.microsoft.com/en-us/dynamics365/unified-operations/dev-itpro/deployment/setup-deploy-on-premises-pu12

  7. .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint <OnPremLocalAgent Certificate Thumbprint>

  8. Uninstall On Prem Agent from each cluster 

    1. LocalAgentCLI.exe Cleanup localagent-config.json 

  9. Install new On Prem Agent with updated OnPremLocalAgent certificate info 

    1. LocalAgentCLI.exe Install localagent-config.json 

  10. Test servicing operation on each environment (send message then refresh state) 

 

And that's it! It can be time consuming but you could use GPO to push out certs. This can be done for all clusters and nodes at any time. I would advise that you modify the New-SelfSignedCertificates.ps1 script by adding a -NotAfter switch to change their lifespan, like so:

$certText = "New-SelfSignedCertificate $($argsList.ToArray() -join ' ') -NotAfter (Get-Date).AddMonths(60) "