Aug 18 2021 01:29 PM
Aug 18 2021 01:29 PM
My certificate will be expiring soon in SP workflow 2013. I am using the certificate the WFM creates when I setup the WF farm. I am still on CU3 as I've run into issues in the past. On a few other farms, I tried installing CU4 and CU5 to get the PowerShell commands to be able to renew the certs. However, each time the updates stalled out leaving me with no other option but to recreate the WF farm.
1. can I just install CU4 and CU5 without needing to remove the WF servers from the farm, stop any services or anything else?
2. Is there a better documented process than this one?
Sep 14 2021 09:27 AM
The link you had provided is accurate but pertinent information like WFM 1.0 CU5 requires SQL2012 SP4 or above is required and that if you are running SharePoint 2016 then you should be running Service Bus 1.1.
But to answer your question in regards to renewing auto-generated certificates for Workflow Manager and Service, you may proceed with the process without applying WFM1.0 CU4 and WFM1.0 CU5 if you meet the following conditions:
The process to reset WFM Passphrase and reset certificate generation key:
1) Run below WFM powershell command to change passphrase and thumbprints:
$CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;
Set-WFCertificateAutoGenerationKey –Key $CertKey
Set-SBCertificateAutogenerationKey –Key $CertKey
2) Run Workflow Manager Configuration Wizard - leave WFM farm first and then rejoin WFM farm
3) If this is a 3 Node WFM farm, have WFMNode2 and WFMNode3 rejoin the farm - new certificates will be automatically added.
4) Follow below article to export WFM certificate to SharePoint CA\Security\Manage Trusts:
SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust
5) Register WFM to SharePoint - this process adds new Workflow Outbound certificate to SP CA\Security\Manage Trusts
From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint and to validate Scopename:
$wfProxy = Get-SPWorkflowServiceApplicationProxy
$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))
Sample command if ScopeName parameter needed:
6) To avoid users getting 401 errors when running 2013 workflows, run below daily timer:
From SharePoint Central Admin\Monitoring\Timer Job Definitions
Run daily timer jobs:
Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]