How to Modify the Workflow Manager certificates before they expire?
If you used auto generated certificate while configuring workflow manager or if you used 3rd party certificates from company or from you certificate authority then you are in need to modify your certificates before they expire to do so follow the below instructions.
Also worth checking this other blog if you want to keep auto generation of certificates.
- On workflow manager server go and open IIS and navigate to the server name then server certificates
- From action pane, select create certificate request.
- Put the common name FQDN server, save file as .csr
- Go to your certificate authority and share with them this request to give you the certificate
- Once you get the certificates then go back to IIS then from action pane select complete certificate request to import certificates.
- Take backups from databases and whole server or if you can’t take snapshot from whole server then use the workflow manager disaster recovery in this wiki https://social.technet.microsoft.com/wiki/contents/articles/29158.workflow-manager-disaster-recovery.aspx
- Open powershell command on workflow manager server as admin
- Run following commands
Note: never use self signed certificate on IIS as it causes issues when running and never delete certificate if you run the command set-sbcertificate or set-wfcertficate until you modify its
first run get-sbfarm abd get-wffarm to know the certificates that are binded and to compare in IIS certificates
Note: modify thumbprint by ones of the certificates from certificate properties in the below commands
Set-SBCertificate -FarmCertificateThumbprint yourthumbprint -EncryptionCertificateThumbprint
yourthumbprint
Stop-SBFarm -Verbose
Update-SBHost
Start-SBFarm
Set-WFCertificate -SslCertificateThumbprint
yourthumbprint -EncryptionCertificateThumbprint
yourthumbprint
Stop-WFHost
Update-WFHost
Start-WFHost
Get-WFOutboundCertificate -ServiceURI https://server.x.com:12290/
Set-WFNextOutboundCertificateReference -ServiceURI https://
server.x.com :12290/ -Thumbprint yourthumbprint
Set-WFNextOutboundCertificateAsCurrent -ServiceURI https://
server.x.com :12290/
Get-WFOutboundCertificate -ServiceURI https://
server.x.com :12290/
- Restart IIS on each of the SharePoint WFEs
- Export the 2 certificates from workflow manager server and copy to all SP servers, to export certificates:
- On IIS double click on the certificate and got to details tab and select copy to file and then select option to export without key and save files and copy to all SP servers
- import certificates on personal and trusted root authority on all SP servers using certificates console using mmc.exe.
- Run following command for each certificate on any of SP servers using SharePoint PowerShell as admin after you modify the thumbprint.
$thumprint = “yourthumprint”
$certwfcert = dir Cert:\LocalMachine\My | ? {$_.Thumbprint -eq $thumprint}
New-SPTrustedRootAuthority -Certificate $certwfcert
- Open central admin then from monitoring->job definition run immediately the job “Refresh Trusted Security Token Services Metadata” and make sure that it succeeded.
- Test workflow to make sure that it is running.
