Workflow Manager Certificate Expiration / Renew Certificate
If you are using Workflow Manager 1.0 on SharePoint, you may face problems of workflows failing to run due to unexpected expiration of Workflow Manager and Service Bus certificates 5 years after the initial setup. This happens because the certificates that are generated during the setup do not get updated automatically after they expire. It may appear to be a minor issue which could be resolved by renewing the certificate, however you will get stuck once Workflow Manager expires and stops you from renewing.
Even though renewing certificates is not a difficult task, it may get complicated once you are prohibited to renew them after they expire. The reason is while active, Workflow Manager PowerShell checks certificates and it is not possible to establish connection between farms and Workflow Manager with an expired certificate. The error message you will receive while working with PowerShell and in the SharePoint logs will be as follows:
“Certificate requested with thumbprint … not found in the certificate store”
Unfortunately, Workflow Manager won’t notify the user and it is unlikely that you set put a notification rule during the initial setup which will make you realize what has happened not until it is too late.
You may come across posts on the internet which may suggest reconfiguring the Workflow Manager and transferring the old data. This is indeed the recommended approach, but it won’t be an easy task. 🙂
One of the possible solutions would be setting the date sometime in the past and updating the certificate. I would like to go into details with an example for this method.
Let’s proceed with the dates for the example:
Certificate Expiration Date: July 20th, 2019
Today’s Date: July 21, 2019
It has been one day since the expiration and you have been receiving emails from users stating that workflows had not been working. You have checked the logs and noticed the error I have mentioned above was logged over and over.
- Connect to Workflow Manager server and set the date of the server to 2 days before the expiration date (July 18th, 2019). You have to actually be quick since the date will be updated again after synchronization with the Active Directory. In such case where you weren’t as quick and the date is updated before you complete the task, you can go ahead and repeat the task.
- Create a new self-signed certificate on IIS. It will be a PFX format and since we have created it on July 18th, 2019, its expiration date will be set as July 18th, 2020.
- Import the certificate you just created under “Local storage\my”.
- After the importing is done, you have to update the certificate for “Service Bus”. You may use the PowerShell command I have added below. Open the Workflow Manager PowerShell screen in “Run as Administrator” mode and run it after populating the <ThumbPrint> fields with the Thumbprint information of the certificate.
Set-SBCertificate -FarmCertificateThumbprint <ThumbPrint> -EncryptionCertificateThumbprint <ThumbPrint> Stop-SBFarm –Verbose Update-SBHost
Wait for the synchronization of the date value of Workflow Manager server with Active Directory and manually revert back the date to July 21st, 2019 yourself. Then, use the PowerShell command below to activate Service Bus farm.
- Set the server date to 2 days before the expiration date (July 18th, 2019).
- By using the commands below, we will update the Workflow Manager certificate. Again, you have to write the <ThumbPrint> information of the certificate that you have created into the field ThumbPrint.
Set-WFCertificate -SslCertificateThumbprint <ThumbPrint> -EncryptionCertificateThumbprint <ThumbPrint> Stop-WFHost Update-WFHost
- Wait for the synchronization of the date value of Workflow Manager server with Active Directory and manually revert back the date to July 21st, 2019 yourself. Then, use the PowerShell command below to update the Workflow Manager Outbound certificates and activate the farm. Populate the field <ServerName> with URL information in the binding field of Workflow Manager and populate <ThumbPrint> field with the ThumbPrint information of the certificate.
Start-WFHost Get-WFOutboundCertificate -ServiceURI http://<ServerName>:12291/ Set-WFNextOutboundCertificateReference -ServiceURI http://<ServerName>:12291/ -Thumbprint <ThumbPrint> Set-WFNextOutboundCertificateAsCurrent -ServiceURI http://<ServerName>:12291/
- Run the command “iisreset” on SharePoint farm servers (except Database Server) and Workflow Manager server or restart the servers in a controlled manner.
- Proceed to Central Administration > Monitoring > Review Job Definitions and manually execute the timer job “Refresh Trusted Security Token Services Metadata feed”.
- Double click on the certificate you have created in PFX format earlier and export in CER format.
- Upload the certificate you have just exported from Central Administration > Security > General Security >Manage Trust > New into the system.
That’s it! You will no longer receive error messages about the certificate.
Hello Evren, I have a problem in the latest part:
Set-WFNextOutboundCertificateAsCurrent -ServiceURI http://:12291/
workflow manager powershell throw me this error:
Set-WFNextOutboundCertificateAsCurrent: Cannot set the “Next” outbound certificate as current because ‘Next’ certificat hans’t been configured in the SigningCertificateReferences configuration
why does this happen?
Thank you in advance for your answer
Hello, so does this list of tasks work? We have one day until our WFOutbound certificate expires. We were able to create the SBCA Cert, that is the only one that was registered in the Trusted Certificate list. IIS shows the SBCA and the Server Authenticated Certificates but only the SBCA got registered, do we have to do the Server Authenticated one manually?
While updating the Workflow Manager Outbound certificates, I get below error, can you please help.
Get-WFOutboundCertificate : The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel.