Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Updating the Specops Arbiter Server Certificate

The Specops Arbiter service uses a self-signed certificate to encrypt communications from domain controllers to query the Specops API. If this certificate is expired or inadvertently deleted, the Arbiter server may not be able to start.

Identify the Certificate Currently In Use

The Arbiter uses the certificate identified by the thumbprint stored in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist]
"ArbiterPortCertificateThumbprint"="<certificate thumbprint>"

The value of this parameter indicates the thumbprint of the certificate currently in use. Check the computer account personal certificate store for the corresponding certificate. To find the certificate via an admin PowerShell:

dir cert:\localmachine\my\&lt;certificatethumbprint> | fl

Substituting <certificatethumbprint> with the value from the config file, e.g.

The certificate subject should match the FQDN of the server; the certificate dates should also be valid for the current date. If the certificate has expired it must be renewed. If no results are returned, this indicates the certificate no longer exists and must be replaced.

Create A New Self-Signed Certificate

A new self-signed certificate can be created through any means available (e.g. an AD-integrated Certificate Authority); our only requirement is that the certificate subject matches the FQDN of the Password Reset server. The following PowerShell command creates the appropriate certificate good for ten years:

New-SelfSignedCertificate -Subject "$env:computername.$env:userdnsdomain" -NotAfter (Get-Date).AddYears(10) -friendlyname "Arbiter $(get-date)"

The command will create the cert and output the thumbprint.

Install The New Certificate Manually

Manual Install

Update the Registry

Update the registry value mentioned earlier with the new thumbprint.

Update the netsh http bindings

The old certificate will remain bound in Windows; we must update this binding manually. To view the current binding from an admin command prompt:

netsh http show sslcert

Note our old cert thumbprint still appears as “Certificate Hash” here. Also note the Application ID which will be unique to each Arbiter server installation.

We must delete this binding and recreate it with our new cert thumbprint from earlier.

netsh http delete sslcert
netsh http add sslcert certhash=<CERT_THUMBPRINT> appid=<YOUR_APP_ID>

For example:

Restart the Service

Restart the Specops Arbiter service for the change to take effect.

PowerShell Scripted Install

The following PowerShell script will update the registry and bindings with a specified certificate and restart the service for you:

function Update-ArbiterBinding () {

    $arbiterIPport = ""
    $certThumbprintRegistryPath = "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist"

    try {
        $appID = $($(netsh http show sslcert "$arbiterIPport" | findstr "Application ID").split(' ') | ? { $_ -match '\S' })[3]
    catch [System.Management.Automation.RuntimeException] {
        write-verbose -verbose "Did not find netsh cert binding $arbiterport.  Aborting."
    catch {
        write-verbose -verbose $_
    if (test-path $certThumbprintRegistryPath) {
        $certThumbprint = $(get-itemproperty -path "$certThumbprintRegistryPath").ArbiterPortCertificateThumbprint
    } else {
        write-verbose -verbose "Failed to get thumbprint from registry"
    if (test-path Cert:\LocalMachine\my\"$certThumbprint") {
        write-verbose -verbose "Will update binding for app ID $appID with certificate $certThumbprint"
        netsh http delete sslcert "$arbiterIPport"
        netsh http add sslcert ipport="$arbiterIPport" certhash="$certThumbprint" appid="$appID"
    } else {
        write-verbose -verbose "Thumbprint from registry not found, will not update binding"


Sample output:

Validate the Certificate Install

The following PowerShell script will connect to the local Arbiter server and confirm it is operational, as well as display the thumbprint of the certificate currently in use:

function Ping-Arbiter($hostname) {
    Add-Type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public static class LastCertificateUsedPersister
        public static string Thumbprint;
    public class AllowAllCertificatesPolicy : ICertificatePolicy {
        public bool CheckValidationResult(ServicePoint srvPoint,
            X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            LastCertificateUsedPersister.Thumbprint = ((X509Certificate2)certificate).Thumbprint;
            return true;
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object AllowAllCertificatesPolicy
    Invoke-WebRequest -UseDefaultCredentials "https://$($hostname):4383/Diagnostics/Ping"
    Write-Verbose -Verbose ("Certificate thumbprint presented: '{0}'" -f [LastCertificateUsedPersister]::Thumbprint)

Ping-Arbiter "$env:computername.$env:userdnsdomain"

Sample output:

April 11, 2022

Was this article helpful?

Related Articles