Changing my Workflow Manager Farm Certificates


From my experience one of the situation that most scares anyone administering a WFM Farm is changing/update the certificates.

In fact, there is no reason for that fear because the process is pretty much straightforward.

See how easy it is.

So, the first step should be updating the Service Bus Services, for that you should start a Workflow Manager PowerShell console as an Administrator and run the below cmdlets. 

Set-SBCertificate -FarmCertificateThumbprint YourThumbprint   -EncryptionCertificateThumbprint YourThumbprint 
Stop-SBFarm -Verbose
Update-SBHost
Start-SBFarm

After this step, we need to update the Workflow Manager Services related Certificates

Set-WFCertificate -SslCertificateThumbprint $cert.Thumbprint -EncryptionCertificateThumbprint $cert.Thumbprint
Stop-WFHost
Update-WFHost
Start-WFHost

If everything went well, this easy steps should do the trick, but as we all known that is not always the case.

So, as the next step we should check the WFM Outbound Certificate, since there is where we see the most issues. For that, you can follow the this process.

Fist run the below cmdlet
Get-WFOutboundCertificate -ServiceURI https://nameofyourserver:12290/

If still returns the old one, do the following:

Set-WFNextOutboundCertificateReference -ServiceURI https://nameofyourserver:12290/ -Thumbprint yourThumbprint

Now if you run the Get-WFOutboundCertificate cmdlet you should get the old one and the new one.
2outboundcerts

Now run the following the cmdlet to define the new one as the default for the current workflow manager farm

Set-WFNextOutboundCertificateAsCurrent -ServiceURI https://nameofyourserver:12290/

Now if you run the Get-WFOutboundCertificate Cmdlet again, you should get the just the new one

Get-WFOutboundCertificate -ServiceURI https://nameofyourserver:12290/

1outboundcerts

After this steps, you probably would need to ptach things up from the Sharepoint side, eg. if you are using your Workflow Manager Farm on your Sharepoint Portal.

Those extra steps would be as below:

  • Restart IIS on each of the SharePoint WFEs
  • Force the immediate run of the “Refresh Trusted Security Token Services Metadata” timerjob
  • Add the Workflow Manager Certificate to SharePoint’s trust: https://technet.microsoft.com/en-us/library/jj658589.aspx

Hope that helps

Cheers

Comments (0)

Skip to main content