SharePoint 2013 - 2016 - 2019 - How To Replace Expired WorkFlow Manager Certificates - Microsoft Community Hub

2/14/23, 3:48 PM SharePoint 2013/2016/2019: How to replace expired WorkFlow Manager Certificates - Microsoft Community Hub
SharePoint 2013/2016/2019: How to

replace expired WorkFlow Manager
Certificates
Subscribe
By Luke Rutledge
Published Mar 01 2020 01:30 PM
25.1K Views
1. Below are the steps for a 1 Node WFM farm using WFM/SB certificate generation key – resetting
expired certificate process:

First, some quick notes:
NOTE: Ensure you have credentials for WFM Run-As service account and WFM passphrase for generated
certificate.
NOTE: If you have a 3 node WFM farm, then you will need to have WFM2 and WFM3 leave the WFM farm
once you have changed the system date and time for all 3 nodes and then run Workflow Manager
Configuration Wizard to leave farm.
NOTE: If the WFM passphrase is not known, step 6 will allow you to change WFM passphrase as long as you
are part of the WFM farm
NOTE: If you are running CA-Cert, you’ll follow the same process to change system date and time, and then
follow below article to change to new certificate thumbprints – note new certificate requires to be created prior
to expiration date: https://blogs.msdn.microsoft.com/whereismysolution/2017/02/08/changing-my-workflow-
manager-farm-cert...

1. In order to reset generation key for WFM and SB the following steps needs to be done on the WFM
node(s): System date and clock of WFM node must be set back before certificate expiration date (step
needs to be done if multiple WFM nodes in farm)
Stop Windows Time Service
Change System date and clock to Day before certificate expired (in this example, the cert expired
on November 21st, 2024)
Skip to footer content
https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/sharepoint-2013-2016-2019-how-to-replace-expired-workflow/ba-p/1148650 1/13
2. Steps to follow once System date and time has been set prior to expiration date:
Output workflow manager PowerShell commands to clipboard and paste to notepad:
TIP: Use “|clip” parameter to output results to clipboard and then paste to notepad
Get-WFFarm | clip
Get-SBFarm | clip
Get-SBNamespace |clip
NOTE: The “Get-SBNamespace” command will list ManageUser accounts – one of
those accounts should be the logon credentials used. Account should have the
required SQL permissions to reset expired certificates.
Run below commands (after reverting the date and time, all services should display as “Running”
before proceeding to next steps:
Get-WFFarmStatus
Get-SBFarmStatus – There are scenarios where Service Bus Message Broker service will
get stuck at “Starting”, regardless continue to next step
From Administrative SharePoint Management Shell, run below command to get current
WorkflowHostURI used to register WFM to SharePoint:
$wfProxy = Get-SPWorkflowServiceApplicationProxy
$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction
SilentlyContinue))
Run below WFM PowerShell command to change passphrase and thumbprints:

Run these commands to set the Certificate keys:
$CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;
Set-WFCertificateAutoGenerationKey –Key $CertKey
Set-SBCertificateAutogenerationKey –Key $CertKey
Then run the below commands:

Stop-SBFarm
Update-SBHost
Run Workflow Manager Configuration Wizard – we’ll leave WFM farm first and then rejoin WFM
farm. This step is necessary, as when we rejoin the WFM farm later, it will create the new
WFOutboundCertificate for us.
Steps to leave WFM Farm
Open the Workflow Manager Configuration Wizard
Choose “Leave Workflow Manager Farm”
When the Summary page finishes loading, first be sure to copy the details prior to
clicking on the Check Mark in the lower Right corner to start the removal process.
These details will be needed later when we go to rejoin the WFM farm

When complete, you
Skipcan close content
to footer out of the Wizard by clicking on the Check Mark again.
Steps to rejoin WFM Farm

Open the Workflow Manager Configuration Wizard
Choose “Join an Existing Workflow Manager Farm”
Fill out the details on the page, then click the Next arrow
Fill out the details on the page, then click the Next arrow
Fill out the details on the “Join Service Bus Farm” page, then click the Next arrow
Review the Summary page, then click the Check Box to start the configuration
When complete, click the Check box
Enable Windows Time Service – this will automatically change server back to current date and
time
Follow the steps from this article: SharePoint 2016: Step by Step guide to add Workflow Manager
Certificate into SharePoint trust (Also install to Trusted Root store)
https://social.technet.microsoft.com/wiki/contents/articles/34451.sharepoint-2016-step-by-
step-guide...
Export WFM Client certificate using below command from Workflow Manager Powershell: Get-
WFAutoGeneratedCA
Above command creates “AutoGeneratedCA.cer” file in path where command was executed
– default C:\Program Files\WorkFlow Manager\1.0
Copy “AutoGeneratedCA.cer” file to all SP nodes and Web Frontends – install certificate to
Trusted Root Certification Authorities certificate store
Copy the file to the SharePoint server(s)
Right-click, and select Install Certificate
Select “Local Machine” and click Next
Select “Place all certificates in the following store”, and then choose “Trusted Root
Certification Authorities”, and then choose OK, and NEXT, then FINISH
Choose OK to complete
Repeat on each SP server

Repeat same process on each SP server for the certificate that was trusted into
SharePoint Manage Trusts earlier during Step 7.
Reset IIS on all SP WFEs
Register WFM to SharePoint
Sample command:
Register-SPWorkflowService –SPSite "http://FQDN.to.SP.site" –WorkflowHostUri
"http://FQDN.to.WFM:12291" -AllowOAuthhttp -force
From SharePoint Central Admin, run daily timer “Refresh Trusted Security Token Services
Metadata feed [Farm job – Daily]”
$tj = Get-SPTimerJob RefreshMetadataFeed
$tj.RunNow()
3. Test one of your 2013 workflows now, and it should complete successfully
3 Likes
Comment
3 Comments
indie1776
Occasional Visitor
‎May 04 2020 11:17 AM
Hello

I am getting the following error when running the configuration wizard to reconnect the
server to the farm.

Configuring Workflow Manager runtime settings.
The remote server returned an error: (401) Unauthorized. Manage claim is required
for this operation

The account I am logged in as and the Run As account are both listed in the service
bus namespace. I have checked the password of the Run As account and it is correct.
Can you help at all?

Thank you.
0 Likes
Guangming
Occasional Visitor
‎May 15 2020 09:31 PM
I got the exact problem. I added my account (logged into the server) to the managed
user list per this link https://stackoverflow.com/questions/30023884/cannot-join-
workflow-farm-add-wfhost . The issue was resolved, then I used ps scripts I saved
from earlier step to add host to wf farm.

# Get SB Client Configuration
$SBClientConfiguration = Get-SBClientConfiguration -Namespaces
'WorkflowDefaultNamespace' -Verbose;
# Add WF Host
$WFRunAsPassword = ConvertTo-SecureString -AsPlainText -Force -String
'workflow acct pwd' -Verbose;

$WFCertAutoGenerationKey = ConvertTo-SecureString -AsPlainText -Force -String
'cert gen key - passphrase' -Verbose;

Add-WFHost -WFFarmDBConnectionString 'Data Source=****;Initial
Catalog=******;Integrated Security=True;Encrypt=False' -RunAsPassword
$WFRunAsPassword -EnableFirewallRules $true -SBClientConfiguration
$SBClientConfiguration -EnableHttpPort -CertificateAutoGenerationKey
$WFCertAutoGenerationKey -Verbose;

0 Likes
Brian_D_
Senior Member
‎May 26 2021 03:01 PM
Does leaving/rejoining the farm no longer regenerate the Outbound Certificate in

CU5?

I tried leaving/rejoining and it's just saying "This certificate is no longer valid" when
rejoining, for the outbound certificate. Graying out the proceed button.

I had to set the date back again to get it to continue -- with the expired Outbound Cert.

Edit: It looks like the old cert thumbprint is being stored in WFManagementDB under
table Store.ClusterConfig. I think it's trying to recall it from there?

Edit2: Oh yeah, delete WFManagementDB and SBManagementDB and have it
recreate them.

SharePoint 2013 - 2016 - 2019 - How To Replace Expired WorkFlow Manager Certificates - Microsoft Community Hub

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SharePoint 2013 - 2016 - 2019 - How To Replace Expired WorkFlow Manager Certificates - Microsoft Community Hub

Uploaded by

Copyright:

Available Formats

2/14/23, 3:48 PM SharePoint 2013/2016/2019: How to replace expired WorkFlow Manager Certificates - Microsoft Community Hub

SharePoint 2013/2016/2019: How to

Skip to footer content

Skip to footer content

Skip to footer content

Run below WFM PowerShell command to change passphrase and thumbprints:

Then run the below commands:

Skip to footer content

Steps to rejoin WFM Farm

Skip to footer content

Skip to footer content

When complete, click the Check box

Skip to footer content

Right-click, and select Install Certificate

Select “Local Machine” and click Next

Skip to footer content

Repeat on each SP server

Can you help at all?

Skip to footer content

Does leaving/rejoining the farm no longer regenerate the Outbound Certificate in

You might also like