Changing my Workflow Manager Farm Certificates

From my experience one of the situation that most scares anyone administering a WFM Farm is changing/update the certificates.

In fact, there is no reason for that fear because the process is pretty much straightforward.

See how easy it is.

So, the first step should be updating the Service Bus Services, for that you should start a Workflow Manager PowerShell console as an Administrator and run the below cmdlets. Set-SBCertificate -FarmCertificateThumbprint YourThumbprint   -EncryptionCertificateThumbprint YourThumbprint Stop-SBFarm -VerboseUpdate-SBHostStart-SBFarm

After this step, we need to update the Workflow Manager Services related Certificates

Set-WFCertificate -SslCertificateThumbprint YourThumbprint -EncryptionCertificateThumbprint YourThumbprintStop-WFHostUpdate-WFHostStart-WFHost

If everything went well, this easy steps should do the trick, but as we all known that is not always the case.

So, as the next step we should check the WFM Outbound Certificate, since there is where we see the most issues. For that, you can follow the this process.

Fist run the below cmdlet
Get-WFOutboundCertificate -ServiceURI https://nameofyourserver:12290/

If still returns the old one, do the following:

Set-WFNextOutboundCertificateReference -ServiceURI https://nameofyourserver:12290/ -Thumbprint yourThumbprint

Now if you run the Get-WFOutboundCertificate cmdlet you should get the old one and the new one.

Now run the following the cmdlet to define the new one as the default for the current workflow manager farm

Set-WFNextOutboundCertificateAsCurrent -ServiceURI https://nameofyourserver:12290/

Now if you run the Get-WFOutboundCertificate Cmdlet again, you should get the just the new one

Get-WFOutboundCertificate -ServiceURI https://nameofyourserver:12290/

After this steps, you probably would need to ptach things up from the Sharepoint side, eg. if you are using your Workflow Manager Farm on your Sharepoint Portal.

Those extra steps would be as below:

• Restart IIS on each of the SharePoint WFEs
• Force the immediate run of the "Refresh Trusted Security Token Services Metadata" timerjob
• Add the Workflow Manager Certificate to SharePoint’s trust: https://technet.microsoft.com/en-us/library/jj658589.aspx

Hope that helps

Cheers

Comments

• Anonymous
  April 13, 2017
  Hi,Is this step valid to change the auto generated Workflow Outbound certificate to a custom CA certificate?Thanks
  • Anonymous
    April 13, 2017
    Hello Sarath, yes you can follow the above steps to change that, remember that the certificate needs to be valid and installed prior to be assigned.
    • Anonymous
      April 13, 2017
      Hi Jose, I was going through the steps mentioned in article (http://www.harbar.net/articles/wfm3.aspx) to update the auto generated certificates to CA certificate and noticed the message as given below:"we cannot change from an auto-generated Outbound Signing certificate to a CA issued Outbound Signing Certificate. This is a significant constraint of Workflow Manager configuration, even though we can update the certificate, workflows will get “stuck” in their initial stage after doing so, as the Workflow Manager farm thinks it’s an auto-generated certificate"I was really worried about reinstalling WFM in order to use same custom CA certificate for Service bus, Workflow Manager and Outbound signing certificate.If above steps is going to work for all kind of these certificates, it will save my time.
    • Anonymous
      April 18, 2017
      Hi Jose,With above commands, I've successfully updated the outbound certificate and the command Get-WFOutboundCertificate gives the correct domain certificate thumbprint. However, Get-WFFarm still returns the old certificate details.. Is this a bug? I m running CU3 in my environment.Regards, Sarath
      • Anonymous
        April 18, 2017
        Hi Sarath, yes its indeed an known issue with the Get-WFFarm Powershell, this is because Get-WFFarm retrieves data from WF Management database and not from WF Resource Management database as Get-WFOutboundCertificate cmdlet does, hence the difference. Workflow runtime is using the thumbprint defined in WF Resource Management so there should not be any problem. This issue exists even in CU3 and is tracked to be fixed in CU4.
        • Anonymous
          April 18, 2017
          Thanks Jose for the quick update!I've a question outside of this article. Would you be able to help with that?Do you have any article stating about the step-by-step procedure for Workflow Manager DR in Warm standby mode? I've asked the same in MS Forum and no reply as of now.Regards, Sarath
• Anonymous
  April 27, 2017
  Hi Jose,Need a quick help. If our SharePoint sites are accessed from external network, do we need an external certificate as WF, Service Bus and Outbound signing certificate? Or domain CA issued certificate can be used without any certificate error?
  • Anonymous
    April 27, 2017
    Hi Sarath, as long as the WFM Certificate matches the FQDN of the Server and its installed on the Sharepoint Frontend Servers connected with the WFM Farm you should have no issues.
    • Anonymous
      April 28, 2017
      The comment has been removed
• Anonymous
  May 01, 2017
  This was very helpful. I had to replace an expired certificate, and didn't have time to take a Workflow Manager class or dig through the disjoint TechNet information. This is exactly what I needed and it worked perfectly.Thanks much!