How can I solve expired self-signed certificate errors with Windows Azure Pack?

Q. I'm receiving a 500 error connecting to my Windows Azure Pack portals and the Event Log shows a certificate error, how can I fix this?

A. When Windows Azure Pack is installed by default, it uses a self-signed certificate for the authentication sites (tenant and administration). These certificates last for one year. After that time, they are no longer valid and authentication will fail. If you look in the event logs (MgmtSvc-TenantSite and MgmtSvc-AdminSite) you should see error:

Error:Unhandled exception: SecurityTokenValidationException: Jwt10329: Unable to validate signature, Configuration.IssuerTokenResolver.ResolveToken returned null. jwt.Header.SigningKeyIdentifier: 'SecurityKeyIdentifier

The solution is to create new certificates.

This can be done with PowerShell but you need to know the SQL Server, the username and password and the WAP passphrase:

# SQL Server DNS name$Server = "sqlserver.domain.net"# SQL User and Password$userid = "sa"$password = "Password"# PassPhrase which you have defined during install of WAP$PassPhrase = "PassPhrase"$NameSpace = "AuthSite" # Get current signing certificate thumbprint$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint$oldThumbprint = $setting.Value# Remove the old certificate from the global config store$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false# 3. Re-initialize the authentication service to generate a new signing certificate and reconfigureInitialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose$NameSpace = "WindowsAuthSite" # Get current signing certificate thumbprint$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint$oldThumbprint = $setting.Value# Remove the old certificate from the global config store$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false# Re-initialize the authentication service to generate a new signing certificate and reconfigureInitialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose

Note that this would have to be repeated every year. A better approach is to use certificates from your enterprise CA. This is documented at http://blogs.technet.com/b/privatecloud/archive/2013/12/10/windows-azure-pack-reconfigure-portal-names-ports-and-use-trusted-certificates.aspx.