WFM Certificate renewal process for SharePoint 2013\2016

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Below is a Sample for 1 Node WFM farm using WFM/SB certificate generation key – resetting expired certificate process:

  1. In order to reset generation key for WFM and SB the following steps needs to be done:

System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)

  1. Ensure you have credentials for WFM Run-As service account and WFM passphrase for generated certificate.

 

  1. In order to reset generation key for WFM and SB the following steps needs to be done WFM node:

System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)

 

  • Stop Windows Time Service
  • Change System date and clock to Day before certificate expired

 

Steps to follow once System date and time has been set prior to expiration date: 

  1. Output workflow manager powershell commands to clipboard and paste to notepad:

 

////Workflow Manager Powershell results – use “|clip” parameter to output results to clipboard and paste to notepad

 

Get-WFFarm | clip

Get-SBFarm | clip

Get-SBNamespace |clip

 

** “Get-SBNamespace” command will list ManageUser accounts – one of those accounts should be the logon credentials used. Account should have the required SQL permissions to reset expired certificates.

 

  1. Run below commands – reverting date and time should display all services are “Running” before proceeding to next steps:

Get-WFFarmStatus

Get-SBFarmStatus – There are scenarios where Service Bus Message Broker service will get stuck at “Starting”, regardless continue to next step

 

 

  1. From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint:

$wfProxy = Get-SPWorkflowServiceApplicationProxy           

$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))

 

  1. Run below WFM powershell command to change passphrase and thumbprints:

$CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;

Set-WFCertificateAutoGenerationKey –Key $CertKey

Set-SBCertificateAutogenerationKey –Key $CertKey

 

Then run:

Stop-SBFarm

Update-SBHost

 

  1. Run Workflow Manager Configuration Wizard - leave WFM farm first and then rejoin WFM farm

 

  1. Enable Windows Time Service – this will automatically change server back to current date and time

 

  1. SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust

https://social.technet.microsoft.com/wiki/contents/articles/34451.sharepoint-2016-step-by-step-guide-to-add-workflow-manager-certificate-into-sharepoint-trust.aspx

 

  1. Export WFM Client certificate using below command from Workflow Manager Powershell:

Get-WFAutoGeneratedCA

 

  • Above command creates “AutoGeneratedCA.cer” file in path where command was executed – default C:\Program Files\WorkFlow Manager\1.0

 

  1. Copy “AutoGeneratedCA.cer” file to all SP nodes and Web Frontends – install certificate to Trusted Root Certification Authorities certificate store

 

  • Reset IIS on WFEs

 

  1. Register WFM to SharePoint -

 

Sample command:

Register-SPWorkflowService –SPSite "http://FQDN" –WorkflowHostUri "http://FQDN:12291" -AllowOAuthhttp -force

 

  1. From SharePoint Central Admin, run daily timer “Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]”
  2. Test 2013 workflow

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.