Changing my Workflow Manager Farm Certificates


From my experience one of the situation that most scares anyone administering a WFM Farm is changing/update the certificates.

In fact, there is no reason for that fear because the process is pretty much straightforward.

See how easy it is.

So, the first step should be updating the Service Bus Services, for that you should start a Workflow Manager PowerShell console as an Administrator and run the below cmdlets. 

Set-SBCertificate -FarmCertificateThumbprint YourThumbprint   -EncryptionCertificateThumbprint YourThumbprint 
Stop-SBFarm -Verbose
Update-SBHost
Start-SBFarm

After this step, we need to update the Workflow Manager Services related Certificates

Set-WFCertificate -SslCertificateThumbprint YourThumbprint -EncryptionCertificateThumbprint YourThumbprint
Stop-WFHost
Update-WFHost
Start-WFHost

If everything went well, this easy steps should do the trick, but as we all known that is not always the case.

So, as the next step we should check the WFM Outbound Certificate, since there is where we see the most issues. For that, you can follow the this process.

Fist run the below cmdlet
Get-WFOutboundCertificate -ServiceURI https://nameofyourserver:12290/

If still returns the old one, do the following:

Set-WFNextOutboundCertificateReference -ServiceURI https://nameofyourserver:12290/ -Thumbprint yourThumbprint

Now if you run the Get-WFOutboundCertificate cmdlet you should get the old one and the new one.
2outboundcerts

Now run the following the cmdlet to define the new one as the default for the current workflow manager farm

Set-WFNextOutboundCertificateAsCurrent -ServiceURI https://nameofyourserver:12290/

Now if you run the Get-WFOutboundCertificate Cmdlet again, you should get the just the new one

Get-WFOutboundCertificate -ServiceURI https://nameofyourserver:12290/

1outboundcerts

After this steps, you probably would need to ptach things up from the Sharepoint side, eg. if you are using your Workflow Manager Farm on your Sharepoint Portal.

Those extra steps would be as below:

  • Restart IIS on each of the SharePoint WFEs
  • Force the immediate run of the "Refresh Trusted Security Token Services Metadata" timerjob
  • Add the Workflow Manager Certificate to SharePoint’s trust: https://technet.microsoft.com/en-us/library/jj658589.aspx

Hope that helps

Cheers

Comments (10)

  1. Sarath says:

    Hi,

    Is this step valid to change the auto generated Workflow Outbound certificate to a custom CA certificate?

    Thanks

    1. Hello Sarath, yes you can follow the above steps to change that, remember that the certificate needs to be valid and installed prior to be assigned.

      1. Sarath says:

        Hi Jose,
        I was going through the steps mentioned in article (http://www.harbar.net/articles/wfm3.aspx) to update the auto generated certificates to CA certificate and noticed the message as given below:

        “we cannot change from an auto-generated Outbound Signing certificate to a CA issued Outbound Signing Certificate. This is a significant constraint of Workflow Manager configuration, even though we can update the certificate, workflows will get “stuck” in their initial stage after doing so, as the Workflow Manager farm thinks it’s an auto-generated certificate”

        I was really worried about reinstalling WFM in order to use same custom CA certificate for Service bus, Workflow Manager and Outbound signing certificate.

        If above steps is going to work for all kind of these certificates, it will save my time.

      2. Sarath says:

        Hi Jose,

        With above commands, I’ve successfully updated the outbound certificate and the command Get-WFOutboundCertificate gives the correct domain certificate thumbprint. However, Get-WFFarm still returns the old certificate details.. Is this a bug? I m running CU3 in my environment.

        Regards, Sarath

        1. Hi Sarath, yes its indeed an known issue with the Get-WFFarm Powershell, this is because Get-WFFarm retrieves data from WF Management database and not from WF Resource Management database as Get-WFOutboundCertificate cmdlet does, hence the difference.
          Workflow runtime is using the thumbprint defined in WF Resource Management so there should not be any problem.
          This issue exists even in CU3 and is tracked to be fixed in CU4.

          1. Sarath says:

            Thanks Jose for the quick update!

            I’ve a question outside of this article. Would you be able to help with that?

            Do you have any article stating about the step-by-step procedure for Workflow Manager DR in Warm standby mode? I’ve asked the same in MS Forum and no reply as of now.

            Regards, Sarath

  2. Sarath says:

    Hi Jose,

    Need a quick help. If our SharePoint sites are accessed from external network, do we need an external certificate as WF, Service Bus and Outbound signing certificate? Or domain CA issued certificate can be used without any certificate error?

    1. Hi Sarath, as long as the WFM Certificate matches the FQDN of the Server and its installed on the Sharepoint Frontend Servers connected with the WFM Farm you should have no issues.

      1. Sarath says:

        Thanks Jose! I m currently using an internal CA certificate with DNS name “*.domain.com” which matches with FQDN of the server..However I m planning to install external CA certificates in SharePoint and was thinking whether we need an external certificate for WFM as well. My idea is it should not throw any certificate error when accessing the workflows from external domain networks.

  3. DaveVickery says:

    This was very helpful. I had to replace an expired certificate, and didn’t have time to take a Workflow Manager class or dig through the disjoint TechNet information. This is exactly what I needed and it worked perfectly.

    Thanks much!

Skip to main content