The Complete Guide to Renewing an Expired Certificate in Microsoft HPC Pack 2019 (Single Head Node)

Managing certificates in an HPC Pack 2019 cluster is critical for secure communication between nodes. However, if your certificate has expired, your cluster services (Scheduler, Broker, Web Components, etc.) may stop functioning properly — preventing nodes from communicating or jobs from scheduling.

When the HPC Pack certificate expires, the HPC Cluster Manager will fail to launch, and you may encounter error messages similar to the examples shown below.

This comprehensive guide walks you through how to renew an already expired HPC Pack certificate on a single-head-node setup and bring your cluster back online.

 Step 1: Check the Current Certificate Expiry

Start by checking the existing certificate and its expiry date.

Get-ChildItem -Path Cert:\LocalMachine\root | Where-Object { $_.Subject -like "HPC" } 
$thumbprint = "<Thumbprint value from the previous command>".ToUpper() 
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint } 
$cert | Select-Object Subject, NotBefore, NotAfter, Thumbprint Date

You can also confirm the system date using the PowerShell date command:

Date

This ensures you’re viewing the correct validity period for the currently installed certificate.

Step 2: Prepare a New Self-Signed Certificate

Next, we’ll create a new certificate that meets the HPC communication requirements.

Certificate Requirements:

• Must have a private key capable of key exchange.
• Key usage should include: Digital Signature, Key Encipherment, Key Agreement, and Certificate Signing.
• Enhanced key usage should include: Client Authentication and Server Authentication.
• If two certificates are used (private/public), both must have the same subject name.

When you prepare a new certificate, make sure that you use the same subject name as that of the old certificate. Run the following PowerShell commands on the HPC node to get the subject name of your certificate.

You can verify the existing certificate’s subject name using the following command:

$thumbprint = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\HPC -Name SSLThumbprint).SSLThumbPrint 
$subjectName = (Get-Item Cert:\LocalMachine\My\$thumbprint).Subject 
$subjectName

Use the same subject name when generating the new certificate.

Step 3: Create a New Certificate

Use the below commands to create and export a new self-signed certificate (valid for 1 year).

$subjectName = "HPC Pack Node Communication" 

$pfxcert = New-SelfSignedCertificate -Subject $subjectName -KeySpec KeyExchange -KeyLength 2048 -HashAlgorithm SHA256 -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(1) -NotBefore (Get-Date).AddDays(-1) 

$certThumbprint = $pfxcert.Thumbprint 

$null = New-Item $env:Temp\$certThumbprint -ItemType Directory 

$pfxPassword = Get-Credential -UserName 'Protection password' -Message 'Enter protection password below' 

Export-PfxCertificate -Cert Cert:\CurrentUser\My\$certThumbprint -FilePath "$env:Temp\$certThumbprint\PrivateCert.pfx" -Password $pfxPassword.Password 

Export-Certificate -Cert Cert:\CurrentUser\My\$certThumbprint -FilePath "$env:Temp\$certThumbprint\PublicCert.cer" -Type CERT -Force

start "$env:Temp\$certThumbprint"

This will generate both .pfx (private) and .cer (public) files in a temporary directory.

Step 4: Copy Certificate to Install Share

On the master (head) node, copy the newly created certificate to the following path:

C:\Program Files\Microsoft HPC Pack 2019\Data\InstallShare\Certificates

This ensures the certificate is available to all compute nodes in the cluster.

Step 5: Rotate Certificates on Compute Nodes

Important:
Always rotate certificates on compute nodes first, before the head node.
If you update the head node first, compute nodes will reject the new certificate, forcing manual reconfiguration.

After rotating compute node certificates, expect them to appear as Offline in HPC Cluster Manager — this is normal until the head node certificate is updated.

1. Download the PowerShell script Update-HpcNodeCertificate.ps1 and place it in your HPC install share:
2. \\<headnode>\REMINST
3. On each compute node, open PowerShell as Administrator and run:

PowerShell.exe -ExecutionPolicy ByPass -Command "\\<headnode>\REMINST\Update-HpcNodeCertificate.ps1 -PfxFilePath \\headnode>\REMINST\Certificates\HpcCnCommunication.pfx -Password <password> "

This updates the certificate on each compute node.

Step 6: Update Certificate on the Master (Head) Node

On the head node, run the following commands in PowerShell as Administrator:

$certPassword = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force 

Import-PfxCertificate -FilePath "C:\Program Files\Microsoft HPC Pack 2019\Data\InstallShare\Certificates\PrivateCert.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password $certPassword 

PowerShell.exe -ExecutionPolicy ByPass -Command "Import-certificate -FilePath \\master\REMINST\Certificates\PublicCert.cer -CertStoreLocation cert:\LocalMachine\Root" 

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\HPC" -Name SSLThumbprint -Value <Thumbprint> 

Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\HPC" -Name SSLThumbprint -Value <Thumbprint>

Step 7: Update Thumbprint in SQL Database

You’ll also need to update the certificate thumbprint stored in the HPCHAStorage database.

1. Install SQL Server Management Studio (SSMS) (latest version).
2. pen SSMS and connect to the HPC database.

3. Navigate to:

4. HPCHAStorage → Tables → dbo.DataTable

5. Right-click and select “Select Top 1000 Rows” to view the current SSL thumbprint.

6. Use the new query window and run the following command with the updated thumbprint:

Update dbo.DataTable set dvalue='<NewThumbrpint>' where dpath = 'HKEY_LOCAL_MACHINE\Software\Microsoft\HPC' and dkey = 'SSLThumbprint'

This updates the stored certificate reference used by the HPC services.

Step 8: Reboot the Master Node

Once everything is updated, reboot the head node to apply the changes.

After the system restarts, open HPC Cluster Manager — your cluster should now be fully functional with the new certificate in place.

 Summary

By following these steps, you can safely renew an expired HPC Pack 2019 certificate and restore secure communication across your cluster — without needing to reinstall or reconfigure HPC Pack components.

This guide helps administrators handle expired certificates with confidence and maintain business continuity for HPC workloads.

If this guide helped you resolve your certificate issues, please give it a 👍 thumbs up and share your feedback or questions in the comments section below.