none
Changing Expired Certificate for SharePoint 2013 Workflow Manager RRS feed

  • Question

  • I have SharePoint 2013 and WFM 1.0 on the same box, and the WFM internal certificate expired and workflows are not starting anymore.

    I tried to renew the certificate from the SharePoint box but it says access denied, when I try to use "Set-WFCertificate" it says:

    Certificate requested with thumbprint 39B47C6D63FADCFD8736239158CF89E918E3CF not found in the 
    certificate store LocalMachine\My.

    Even when I tried this link: http://www.harbar.net/articles/wfm3.aspx and when I reach 

    "Set-SBCertificate -FarmCertificateThumbprint $cert.Thumbprint -EncryptionCertificateThumbprint $cert.Thumbprint"

    It says the same error:

    Set-SBCertificate : Certificate requested with thumbprint 39B47C6D63FADCFD8736239158CF89E918E3CF not found in 
    the certificate store LocalMachine\My.

    How Can I update the WFM internal certificate ?

    Thursday, July 10, 2014 11:56 AM

Answers

All replies

  • Solved After Removing and then re installing the workflow manager

    Tuesday, July 15, 2014 9:52 AM
  • Is this really a solution ? Removing and installing again ? Is there any other option ?
    Tuesday, January 30, 2018 1:53 PM
  • Just change system date and run the command. You may get only few seconds to run this command before date and time sync with active directory.

    Shine

    • Proposed as answer by John M2013 Thursday, July 18, 2019 7:12 PM
    • Unproposed as answer by John M2013 Thursday, July 18, 2019 7:12 PM
    • Proposed as answer by John M2013 Thursday, July 18, 2019 7:22 PM
    • Unproposed as answer by John M2013 Thursday, July 18, 2019 7:22 PM
    Monday, November 19, 2018 2:42 AM
  • If you do not want to do it the Microsoft official way, which is to reinstall WFM, here is
    the workaround with links.  I had my 5 year certs expire this week and it
    took me a while to dig my way out of it.  The general concept here is you
    have to time travel (set your system date back prior to the expiration) to get
    WFM & SB to function properly.  You will need to create self-signed
    certs during your jump to the past.  In my environment, the time &
    date sync happened every 30 minutes so I had time to run the PowerShell before
    it synced back to the current date.<o:p></o:p>

    Overview<o:p></o:p>

    I started with this link, which explains the basic concepts except for the needed time
    travel --  https://docs.microsoft.com/en-us/previous-versions/service-bus-archive/jj712784(v=azure.100)#BMK_SBConfig8
    and more to the point without https://blogs.msdn.microsoft.com/whereismysolution/2017/02/08/changing-my-workflow-manager-farm-certificates/the
    already expired issue. <o:p></o:p>

    I did not find the "How to renew an expired certificate" section accurate here:
    https://docs.microsoft.com/en-us/previous-versions/service-bus-archive/jj712784(v=azure.100)#BMK_SBConfig8 
    Unless Microsoft tests and updates the section it can be very misleading. 
    It was better for me to ignore it.

    General

    In my case I needed to go from expired generated certificates to custom or self-signed certs
    --  https://docs.microsoft.com/en-us/previous-versions/service-bus-archive/jj712784(v=azure.100)#BMK_SBConfig8. 
    I needed to do this since for Set-SBCertificate to be able to function properly
    your current (expired for me) and new cert have to overlap.  A non-self
    signed cert can't be created in the past via the change the system date trick.<o:p></o:p>

    I used the CloneCert parameter after setting the system date set back to get the new self
    signed certificate as close to the old (expired) as possible.  I did this
    twice per example to in the link below.  The 2nd time was for the
    WorkflowOutbound certificate. https://docs.microsoft.com/en-us/previous-versions/service-bus-archive/jj712784(v=azure.100)#BMK_SBConfig8And
    when you are done don't forget to the SharePoint side clean up explained here: https://docs.microsoft.com/en-us/previous-versions/service-bus-archive/jj712784(v=azure.100)#BMK_SBConfig8<o:p></o:p>

    In summary I replaced two generated certs with two cloned self signed certs created in the
    past via setting the system date back--"Date 7/13/2019" at the
    command prompt in my case.  You could once you get it back up replace the
    two self signed certs with two domain certs to be more secure.  After
    going through all of this and taking many hours to figure it out, just calling
    Microsoft Premier support would have been faster.

    --John



    • Edited by John M2013 Thursday, July 18, 2019 7:35 PM fix some markup
    • Proposed as answer by John M2013 Thursday, July 18, 2019 7:36 PM
    Thursday, July 18, 2019 7:31 PM