Renew SharePoint 2013 Workflow Certificates

%3CLINGO-SUB%20id%3D%22lingo-sub-2662576%22%20slang%3D%22en-US%22%3ERenew%20SharePoint%202013%20Workflow%20Certificates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2662576%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20certificate%20will%20be%20expiring%20soon%20in%20SP%20workflow%202013.%26nbsp%3B%20I%20am%20using%20the%20certificate%20the%20WFM%20creates%20when%20I%20setup%20the%20WF%20farm.%26nbsp%3B%20I%20am%20still%20on%20CU3%20as%20I've%20run%20into%20issues%20in%20the%20past.%26nbsp%3B%20On%20a%20few%20other%20farms%2C%20I%20tried%20installing%20CU4%20and%20CU5%20to%20get%20the%20PowerShell%20commands%20to%20be%20able%20to%20renew%20the%20certs.%26nbsp%3B%20However%2C%20each%20time%20the%20updates%20stalled%20out%20leaving%20me%20with%20no%20other%20option%20but%20to%20recreate%20the%20WF%20farm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2%20questions%3A%3C%2FP%3E%3CP%3E1.%20can%20I%20just%20install%20CU4%20and%20CU5%20without%20needing%20to%20remove%20the%20WF%20servers%20from%20the%20farm%2C%20stop%20any%20services%20or%20anything%20else%3F%3C%2FP%3E%3CP%3E2.%20Is%20there%20a%20better%20documented%20process%20than%20this%20one%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdellenny.com%2Fhow-to-modify-the-workflow-manager-certificates-before-they-expire-using-auto-generated-certificates%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdellenny.com%2Fhow-to-modify-the-workflow-manager-certificates-before-they-expire-using-auto-generated-certificates%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2662576%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2749824%22%20slang%3D%22en-US%22%3ERe%3A%20Renew%20SharePoint%202013%20Workflow%20Certificates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2749824%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F266994%22%20target%3D%22_blank%22%3E%40thekurteichler%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20link%20you%20had%20provided%20is%20accurate%20but%20pertinent%20information%20like%20WFM%201.0%20CU5%20requires%20SQL2012%20SP4%20or%20above%20is%20required%20and%20that%20if%20you%20are%20running%20SharePoint%202016%20then%20you%20should%20be%20running%20Service%20Bus%201.1.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20to%20answer%20your%20question%20in%20regards%20to%20renewing%20auto-generated%20certificates%20for%20Workflow%20Manager%20and%20Service%2C%20you%20may%20proceed%20with%20the%20process%20without%20applying%20WFM1.0%20CU4%20and%20WFM1.0%20CU5%20if%20you%20meet%20the%20following%20conditions%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EStill%20part%20of%20the%20WFM%20farm%20during%20process%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20WFM%20powershell%20commands%20%22Get-WFFarm%22%20and%20%22Get-SBFarm%22%20certificate%20results%20have%20%22IsGenerated%3DTrue%22%3C%2FLI%3E%0A%3CLI%3EIf%20WFM%20farm%20is%20a%203%20node%20farm%2C%20have%20WFMNode2%20and%20WFMNode3%20leave%20the%20WFM%20farm%20using%20Workflow%20Manager%20Configuration%20Wizard.%20To%20determine%20which%20is%20the%20primary%20WFM%20node%20or%20WFMNode1%20-%20go%20to%20IIS%20and%20validate%20Workflow%20Management%20Website%20bindings%20for%20HTTPS%20and%20server%20name%20of%20primary%20WFM%20node%20should%20be%20displayed.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThe%20process%20to%20reset%20WFM%20Passphrase%20and%20reset%20certificate%20generation%20key%3A%3C%2FP%3E%0A%3CP%3E1)%20Run%20below%20WFM%20powershell%20command%20to%20change%20passphrase%20and%20thumbprints%3A%3C%2FP%3E%0A%3CP%3E%24CertKey%3Dconvertto-securestring%20%E2%80%98%3CSTRONG%3EPASSPHRASE%3C%2FSTRONG%3E%E2%80%99%20-asplaintext%20-force%3B%3C%2FP%3E%0A%3CP%3ESet-WFCertificateAutoGenerationKey%20%E2%80%93Key%20%24CertKey%3C%2FP%3E%0A%3CP%3ESet-SBCertificateAutogenerationKey%20%E2%80%93Key%20%24CertKey%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20run%3A%3C%2FP%3E%0A%3CP%3EStop-SBFarm%3C%2FP%3E%0A%3CP%3EUpdate-SBHost%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThis%20step%20will%20create%203%20certificates%20under%20IIS%20Server%20certificates%3A%3C%2FLI%3E%0A%3COL%3E%0A%3CLI%3EService%20Bus%20Root%20Certificate%20%E2%80%93%20%E2%80%98Issued%20To%E2%80%99%20and%20%E2%80%98Issued%20By%E2%80%99%20%3D%20AppServerGeneratedSBCA%3C%2FLI%3E%0A%3CLI%3EService%20Bus%20Encryption%20Certificate%20%E2%80%93%20%E2%80%98Issued%20To%20%3D%20Server%20Name%E2%80%99%20and%20%E2%80%98Issued%20By%E2%80%99%20%3D%20AppServerGeneratedSBCA%3C%2FLI%3E%0A%3CLI%3EWorkflow%20Manager%20Encryption%20Certificate%20-%20%E2%80%98Issued%20To%E2%80%99%20and%20%E2%80%98Issued%20By%E2%80%99%20%3D%20Server%20Name%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CLI%3ENote%20that%20Workflow%20Outbound%20certificate%20is%20not%20populated%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E2)%20Run%20Workflow%20Manager%20Configuration%20Wizard%20-%20leave%20WFM%20farm%20first%20and%20then%20rejoin%20WFM%20farm%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELeaving%20WFM%20farm%20and%20rejoining%20will%20populate%20Workflow%20Outbound%20certificate%3C%2FLI%3E%0A%3CLI%3ERefresh%20Server%20Certificates%20on%20IIS%2C%20once%20you%20have%20successfully%20rejoined%20WFM%20farm%20to%20view%20certificate%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E3)%20If%20this%20is%20a%203%20Node%20WFM%20farm%2C%20have%20WFMNode2%20and%20WFMNode3%20rejoin%20the%20farm%20-%20new%20certificates%20will%20be%20automatically%20added.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4)%26nbsp%3BFollow%20below%20article%20to%20export%20WFM%20certificate%20to%20SharePoint%20CA%5CSecurity%5CManage%20Trusts%3A%3C%2FP%3E%0A%3CP%3ESharePoint%202016%3A%20Step%20by%20Step%20guide%20to%20add%20Workflow%20Manager%20Certificate%20into%20SharePoint%20trust%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34451.sharepoint-2016-step-by-step-guide-to-add-workflow-manager-certificate-into-sharepoint-trust.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34451.sharepoint-2016-step-by-step-guide-to-add-workflow-manager-certificate-into-sharepoint-trust.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E5)%20Register%20WFM%20to%20SharePoint%20-%20this%20process%20adds%20new%20Workflow%20Outbound%20certificate%20to%20SP%20CA%5CSecurity%5CManage%20Trusts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Administrative%20SharePoint%20Management%20Shell%2C%20run%20below%20command%20to%20get%20current%20%3CSTRONG%3EWorkflowHostURI%20%3C%2FSTRONG%3Eused%20to%20register%20WFM%20to%20SharePoint%20and%20to%20validate%20Scopename%3A%3C%2FP%3E%0A%3CP%3E%24wfProxy%20%3D%20Get-SPWorkflowServiceApplicationProxy%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24wfProxy.GetWorkflowServiceAddress((Get-SPSite%20-Limit%201%20-WarningAction%20SilentlyContinue))%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESample%20command%3A%3C%2FP%3E%0A%3CP%3ESample%20command%3A%3C%2FP%3E%0A%3CP%3ERegister-SPWorkflowService%20%E2%80%93SPSite%20%22%3CA%20href%3D%22http%3A%2F%2FFQDN%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FFQDN%3C%2FA%3E%22%20%E2%80%93%3CSTRONG%3EWorkflowHostUri%3C%2FSTRONG%3E%20%22%3CA%20href%3D%22https%3A%2F%2FWFM.contoso.com%3A12290%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CSTRONG%3Ehttps%3A%2F%2FWFM.contoso.com%3A12290%3C%2FSTRONG%3E%3C%2FA%3E%22%20-AllowOAuthhttp%20-force%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESample%20command%20if%20ScopeName%20parameter%20needed%3A%3C%2FP%3E%0A%3CP%3ERegister-SPWorkflowService%20%E2%80%93SPSite%20%22%3CA%20href%3D%22http%3A%2F%2FFQDN%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FFQDN%3C%2FA%3E%22%20%E2%80%93%3CSTRONG%3EWorkflowHostUri%3C%2FSTRONG%3E%20%22%3CA%20href%3D%22https%3A%2F%2FWFM.contoso.com%3A12290%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CSTRONG%3Ehttps%3A%2F%2FWFM.contoso.com%3A12290%3C%2FSTRONG%3E%3C%2FA%3E%22%20-Scopename%20SCOPENAME%20-AllowOAuthhttp%20-force%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E6)%26nbsp%3BTo%20avoid%20users%20getting%20401%20errors%20when%20running%202013%20workflows%2C%20run%20below%20daily%20timer%3A%3CBR%20%2F%3EFrom%20SharePoint%20Central%20Admin%5CMonitoring%5CTimer%20Job%20Definitions%3CBR%20%2F%3ERun%20daily%20timer%20jobs%3A%3CBR%20%2F%3ERefresh%20Trusted%20Security%20Token%20Services%20Metadata%20feed%20%5BFarm%20job%20%E2%80%93%20Daily%5D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGood%20luck!!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

My certificate will be expiring soon in SP workflow 2013.  I am using the certificate the WFM creates when I setup the WF farm.  I am still on CU3 as I've run into issues in the past.  On a few other farms, I tried installing CU4 and CU5 to get the PowerShell commands to be able to renew the certs.  However, each time the updates stalled out leaving me with no other option but to recreate the WF farm.

 

2 questions:

1. can I just install CU4 and CU5 without needing to remove the WF servers from the farm, stop any services or anything else?

2. Is there a better documented process than this one?

https://dellenny.com/how-to-modify-the-workflow-manager-certificates-before-they-expire-using-auto-g...

1 Reply

@thekurteichler 

The link you had provided is accurate but pertinent information like WFM 1.0 CU5 requires SQL2012 SP4 or above is required and that if you are running SharePoint 2016 then you should be running Service Bus 1.1.

 

But to answer your question in regards to renewing auto-generated certificates for Workflow Manager and Service, you may proceed with the process without applying WFM1.0 CU4 and WFM1.0 CU5 if you meet the following conditions:

  1. Still part of the WFM farm during process
  2. Ensure that WFM powershell commands "Get-WFFarm" and "Get-SBFarm" certificate results have "IsGenerated=True"
  3. If WFM farm is a 3 node farm, have WFMNode2 and WFMNode3 leave the WFM farm using Workflow Manager Configuration Wizard. To determine which is the primary WFM node or WFMNode1 - go to IIS and validate Workflow Management Website bindings for HTTPS and server name of primary WFM node should be displayed.

The process to reset WFM Passphrase and reset certificate generation key:

1) Run below WFM powershell command to change passphrase and thumbprints:

$CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;

Set-WFCertificateAutoGenerationKey –Key $CertKey

Set-SBCertificateAutogenerationKey –Key $CertKey

 

Then run:

Stop-SBFarm

Update-SBHost

 

  • This step will create 3 certificates under IIS Server certificates:
    1. Service Bus Root Certificate – ‘Issued To’ and ‘Issued By’ = AppServerGeneratedSBCA
    2. Service Bus Encryption Certificate – ‘Issued To = Server Name’ and ‘Issued By’ = AppServerGeneratedSBCA
    3. Workflow Manager Encryption Certificate - ‘Issued To’ and ‘Issued By’ = Server Name
  • Note that Workflow Outbound certificate is not populated

2) Run Workflow Manager Configuration Wizard - leave WFM farm first and then rejoin WFM farm

 

  • Leaving WFM farm and rejoining will populate Workflow Outbound certificate
  • Refresh Server Certificates on IIS, once you have successfully rejoined WFM farm to view certificate

3) If this is a 3 Node WFM farm, have WFMNode2 and WFMNode3 rejoin the farm - new certificates will be automatically added.

 

4) Follow below article to export WFM certificate to SharePoint CA\Security\Manage Trusts:

SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust

https://social.technet.microsoft.com/wiki/contents/articles/34451.sharepoint-2016-step-by-step-guide...

 

5) Register WFM to SharePoint - this process adds new Workflow Outbound certificate to SP CA\Security\Manage Trusts

 

From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint and to validate Scopename:

$wfProxy = Get-SPWorkflowServiceApplicationProxy           

$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))

 

Sample command:

Sample command:

Register-SPWorkflowService –SPSite "http://FQDN" –WorkflowHostUri "https://WFM.contoso.com:12290" -AllowOAuthhttp -force

 

Sample command if ScopeName parameter needed:

Register-SPWorkflowService –SPSite "http://FQDN" –WorkflowHostUri "https://WFM.contoso.com:12290" -Scopename SCOPENAME -AllowOAuthhttp -force

 

6) To avoid users getting 401 errors when running 2013 workflows, run below daily timer:
From SharePoint Central Admin\Monitoring\Timer Job Definitions
Run daily timer jobs:
Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]

 

Good luck!!