Service Bus 1.1 - farm with custom certificate and DNS name

  2015-05-14

Also check out my other post: Service Bus 1.1 - errors and their solutions.

The problem with Service Bus is that the auto-generated certificate is generated in machine name. This means it can’t be used to authenticate against FQDN (e.g. - https://servicebus.crp.contoso.local:9355) as it’s different from the machine name (e.g. - https://johns-computer:9355).

The solution is to replace the auto-generated certificate with a custom one. Changing Service Bus certificate can be done via Service Bus PowerShell using Set-SBCertificate. This article explains the steps.

1. Generate certificate

There are many ways to generate certificate. We will use makecert.exe. Just open command prompt and run this:

makecert -r -n "CN=servicebus.crp.contoso.local" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2020 "Service-Bus-SSL.cer"

Then import Service-Bus-SSL.cer into “Trusted Root Certification Authorities” store via MMC.

2. Change farm’s certificate

Set-SBCertificate -EncryptionCertificateThumbprint ‎fe00256a1cbefd9e3609ac03aadf73a4873bfba6 -FarmCertificateThumbprint ‎fe00256a1cbefd9e3609ac03aadf73a4873bfba6 -SBFarmDBConnectionString "Server=sqlserver;Trusted_Connection=true;Database=SbManagement;Connect Timeout=300"

Which results in this message:

To complete your configuration update, please run Stop-SBFarm, then Update-SBHost on every machine of your farm, then run Start-SBFarm.

3. Install certificate on all farm hosts

In order to Update-SBHost on other hosts, we need to import the certificate to those machines inside the “Personal” (My) and the “Trusted Root Certification Authorities” (Root). Of course we can do it with via the MMC GUI, but come on! PowerShell everything!

But first get the .pfx file by exporting the certificate with the private key.

# Run this on the machine on which the certificate was initially generated and is already installed.
$mypwd = ConvertTo-SecureString -String "password" -Force –AsPlainText
Get-ChildItem -Path cert:\localMachine\my\‎241973c6f454eafd55207460d0d2f4f434998dd7 | Export-PfxCertificate -FilePath "Service-Bus-SSL.pfx" -Password $mypwd

Then:

# Run this on each machine where you need to install the certificate.
$mypwd = ConvertTo-SecureString -String "password" -Force –AsPlainText
Import-PfxCertificate –FilePath "Service-Bus-SSL.pfx" cert:\localMachine\my -Password $mypwd
Import-PfxCertificate –FilePath "Service-Bus-SSL.pfx" cert:\localMachine\Root -Password $mypwd

4. Set-FarmDNS

Set your farm’s DNS to align with the certificate you issued:

Set-SBFarm -FarmDns servicebus.crp.contoso.local

5. Update-SBHost

Now to complete your configuration you need to Stop-SBFarm and then run Update-SBHost on each host machine. Once you’ve done that, you can finally start your farm with Start-SBFarm.

Summary

This is far from simple. While I do think that Service Bus offers really good featureset, I think it seriously lacks in the ease-of-setup aspect. These are some of the problems I see:

  • Lack of proper GUI client
  • Error messages are often not very helpful
  • I found at least 1 bug (SBFarmDNS entry was missing from ServiceConfig table)

22bugs.co © 2017. All rights reserved.