Add-AzureRmServiceFabricClusterCertificate ends with error 'Certificates cannot be added and removed at the same time.'

Question

I try to rollover the cluster-certificate of a service fabric cluster. So I tried to inject a new self-signed secondary certificate with this command:

Add-AzureRmServiceFabricClusterCertificate -ResourceGroupName $configuration.ResourceGroupName -Name $clusterName -SecretIdentifier $certificateVaultUrl_Secondary

ErrorDetails

"error": {
   "code": "AddAndRemoveCertificateNotAllowed",
   "message": "Certificates cannot be added and removed at the same time.",
   "details": []
}

Environment

• AzureRM 5.0.1
• Powershell 5.0.10586.117
• Service Fabric 6.0.232.9494

Answer 1

When using the ARM deployment, the same error message appears.

At the moment (Nov 2017), modifying the cluster certificate thumbprints is not possible. Working workflow:

1. Delete the existing secondary thumbprint using the portal (triggers a cluster upgrade)
2. Use the ARM deployment to specify the location and thumbprint of the new secondary certificate (triggers a cluster upgrade)
3. swap the secondary certificate with the primary using portal (triggers a cluster upgrade)
4. delete the secondary thumbprint using the portal -> this will delete the old primary certificate (triggers a cluster upgrade)

That's the only workflow we found to provide a new certificate to the cluster.