Renew Deleted Expired Certificate For Windows Service Bus


Renewing a expired certificate for a windows service bus is quite simple and the process is documented on msdn.

1. Stop-SBFarm on one of the nodes in the farm.
2. Install a new certificate on all Service Bus machines.
3. Set-SBCertificate – FarmCertificateThumbprint: Thumbprint of the new farm certificate – SkipKeyReEncryption
4. Update-SBHost cmdlet on all farm nodes.
5. Set-SBNamespace – Name namespace – PrimarySymmetricKey: service namespace key.
6.Call the Start-SBFarm cmdlet on one of the farm nodes.

However if the expired certificate has been deleted, you will run into issues running any command against the servicebus.

You will most likely receive the following error:

Certificate requested with thumbprint not found in the certificate store


I have seen various methods to resolve this by editing the registry and removing entries from SQL or re implementing your service bus, but a cleaner method is to simply restore your expired cert so it can be renewed.

1. Logon to your certificate authority
2. Find the issued certificate request by using the filter by using the certificate hash field and enter the thumbprint for the expired certificate. (note: thumbprint format uses spaces)
3. Select the certificate and export as binary and save as using the .cer file extension
4. Copy the .cer file to your service bus server
5. Import the certificate to the local store
6. Open the certificate store, and view the properties of the imported certificate. select the details tab and note down the serial number
7. Open command prompt as administrator and run the following: certutil -repairstore my “serialnumber”
8. Open powershell as administrator and run the following: get-sbfarm
9. Run the following start-sbfarm
10. You now can follow the procedure to renew a expired certificate

11 thoughts on “Renew Deleted Expired Certificate For Windows Service Bus

  1. Not sure about this – the cert expires and you are basically toast. None of the Service Bus cmdlets function and the services stop and won’t start.

    1. could you please on the detailed steps of renewing the service bus certificate, for may case also cmdlets are not working
      Please help me with the steps of getting the new certificate also

    2. Change the datetime on the server that will make the old cert valid. Then follow the procedure to update the server with new cert.
      It worked for me

  2. I was really not optimist about that solution but it worked. I was able to restart the bus service and run the powershell command to change the certificate thumbprint to the new certificate.


  3. This hasn’t worked for us. The expired certificate still exists. I ran the repair ” certutil -repairstore my “serialnumber”” which said it succeeded but no difference.

  4. If your certificate expired, you can rollback server time after that service bus cmdlets will work and you can register new certificate.

  5. When I changed my certificate it worked. But my problem is, for old service bus i had few topics and subscriptions created but after changing to new certificate those topics are not visible.
    Note:Old certificate was auto generated but new certificate is custom one. Is there anything I need to do for this case?

  6. “Restoring” the expired certificate did not work because the service cannot see expired certificates. They don’t get deleted, they simply cannot be seen, so the instructions above for replacing an already expired certificate are not correct.

    Instead, do this:
    1. Stop Windows Time service and disable any hypervisor time synchronization services. Then change the OS date/time to a date before the certificate expired. This will allow the certificate update Powershell commands to run successfully.,
    2. In Sharepoint Powershell, run the following commands:
    Stop-SBFarm # may not be necessary if it’s already stopped
    Set-SBCertificate -FarmCertificateThumbprint “‎[your new certificate thumbprint]” -EncryptionCertificateThumbprint “‎[your new certificate thumbprint”
    3. The farm certificate and encryption certificate (we used the same cert for both) should be updated. Then start the Windows Time service and enable the hypervisor time synchronization to allow the OS to get the correct time again.

Leave a Reply

Your email address will not be published. Required fields are marked *