Blog Post

Microsoft SharePoint Blog
2 MIN READ

WFM Certificate renewal process for SharePoint 2013\2016

Premkumarkc's avatar
Premkumarkc
Icon for Microsoft rankMicrosoft
Apr 23, 2020

Below is a Sample for 1 Node WFM farm using WFM/SB certificate generation key – resetting expired certificate process:

  1. In order to reset generation key for WFM and SB the following steps needs to be done:

System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)

  1. Ensure you have credentials for WFM Run-As service account and WFM passphrase for generated certificate.

 

  1. In order to reset generation key for WFM and SB the following steps needs to be done WFM node:

System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)

 

  • Stop Windows Time Service
  • Change System date and clock to Day before certificate expired

 

Steps to follow once System date and time has been set prior to expiration date: 

  1. Output workflow manager powershell commands to clipboard and paste to notepad:

 

////Workflow Manager Powershell results – use “|clip” parameter to output results to clipboard and paste to notepad

 

Get-WFFarm | clip

Get-SBFarm | clip

Get-SBNamespace |clip

 

** “Get-SBNamespace” command will list ManageUser accounts – one of those accounts should be the logon credentials used. Account should have the required SQL permissions to reset expired certificates.

 

  1. Run below commands – reverting date and time should display all services are “Running” before proceeding to next steps:

Get-WFFarmStatus

Get-SBFarmStatus – There are scenarios where Service Bus Message Broker service will get stuck at “Starting”, regardless continue to next step

 

 

  1. From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint:

$wfProxy = Get-SPWorkflowServiceApplicationProxy           

$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))

 

  1. Run below WFM powershell command to change passphrase and thumbprints:

$CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;

Set-WFCertificateAutoGenerationKey –Key $CertKey

Set-SBCertificateAutogenerationKey –Key $CertKey

 

Then run:

Stop-SBFarm

Update-SBHost

 

  1. Run Workflow Manager Configuration Wizard - leave WFM farm first and then rejoin WFM farm

 

  1. Enable Windows Time Service – this will automatically change server back to current date and time

 

  1. SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust

https://social.technet.microsoft.com/wiki/contents/articles/34451.sharepoint-2016-step-by-step-guide-to-add-workflow-manager-certificate-into-sharepoint-trust.aspx

 

  1. Export WFM Client certificate using below command from Workflow Manager Powershell:

Get-WFAutoGeneratedCA

 

  • Above command creates “AutoGeneratedCA.cer” file in path where command was executed – default C:\Program Files\WorkFlow Manager\1.0

 

  1. Copy “AutoGeneratedCA.cer” file to all SP nodes and Web Frontends – install certificate to Trusted Root Certification Authorities certificate store

 

  • Reset IIS on WFEs

 

  1. Register WFM to SharePoint -

 

Sample command:

Register-SPWorkflowService –SPSite "http://FQDN" –WorkflowHostUri "http://FQDN:12291" -AllowOAuthhttp -force

 

  1. From SharePoint Central Admin, run daily timer “Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]”
  2. Test 2013 workflow
Updated Aug 27, 2020
Version 2.0
Support
  • Alexandru_Ilie's avatar
    Alexandru_Ilie
    Copper Contributor
    Aug 23, 2021

    Hello great, guide. Helped me replace expired workflow certificates. But now I have some problems reruning failled workflows during the time the service was stopped.

    It took a couple of day before I managed to restart workflow service to a working state.

    Now when I try to run a list workflow i get this error message: Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 404 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["34"],"Cache-Control":["max-age=0, private"],"Set-Cookie":["MLSUIdb8b319cd365e424eabe0171f400363a6=e7a2f790-bae5-49e2-bc3e-6a885f343f6c; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=\/bestillinger","MLSSeIdb8b319cd365e424eabe0171f400363a6=61b4ab31-95ff-44c9-9c70-e85574fb6ab4; expires=Mon, 23-Aug-2021 06:11:24 GMT; path=\/bestillinger"],"Server":["Microsoft-IIS\/8.0"],"X-AspNet-Version":["4.0.30319"],"SPRequestGuid":["e57381a6-8140-e7d9-ac93-81af24e59447"],"request-id":["e57381a6-8140-e7d9-ac93-81af24e59447"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4569"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 23 Aug 2021 05:51:24 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

    If i search for thaat correlation id e57381a6-8140-e7d9-ac93-81af24e59447 i get in the uls logs that the item is missing, or might be deleted by the user, which in fact is not true.
    The workflow service is working fine. I'm a little stuck could point in some direction of troubleshooting further.

    Thank you