Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:
Below is a Sample for 1 Node WFM farm using WFM/SB certificate generation key – resetting expired certificate process:
- In order to reset generation key for WFM and SB the following steps needs to be done:
System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)
- Ensure you have credentials for WFM Run-As service account and WFM passphrase for generated certificate.
- In order to reset generation key for WFM and SB the following steps needs to be done WFM node:
System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)
- Stop Windows Time Service
- Change System date and clock to Day before certificate expired
Steps to follow once System date and time has been set prior to expiration date:
- Output workflow manager powershell commands to clipboard and paste to notepad:
////Workflow Manager Powershell results – use “|clip” parameter to output results to clipboard and paste to notepad
Get-WFFarm | clip
Get-SBFarm | clip
Get-SBNamespace |clip
** “Get-SBNamespace” command will list ManageUser accounts – one of those accounts should be the logon credentials used. Account should have the required SQL permissions to reset expired certificates.
- Run below commands – reverting date and time should display all services are “Running” before proceeding to next steps:
Get-WFFarmStatus
Get-SBFarmStatus – There are scenarios where Service Bus Message Broker service will get stuck at “Starting”, regardless continue to next step
- From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint:
$wfProxy = Get-SPWorkflowServiceApplicationProxy
$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))
- Run below WFM powershell command to change passphrase and thumbprints:
$CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;
Set-WFCertificateAutoGenerationKey –Key $CertKey
Set-SBCertificateAutogenerationKey –Key $CertKey
Then run:
Stop-SBFarm
Update-SBHost
- Run Workflow Manager Configuration Wizard – leave WFM farm first and then rejoin WFM farm
- Enable Windows Time Service – this will automatically change server back to current date and time
- SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust
- Export WFM Client certificate using below command from Workflow Manager Powershell:
Get-WFAutoGeneratedCA
- Above command creates “AutoGeneratedCA.cer” file in path where command was executed – default C:Program FilesWorkFlow Manager1.0
- Copy “AutoGeneratedCA.cer” file to all SP nodes and Web Frontends – install certificate to Trusted Root Certification Authorities certificate store
- Reset IIS on WFEs
- Register WFM to SharePoint –
Sample command:
Register-SPWorkflowService –SPSite “http://FQDN” –WorkflowHostUri “http://FQDN:12291” -AllowOAuthhttp -force
- From SharePoint Central Admin, run daily timer “Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]”
- Test 2013 workflow
The above is kindly provided by the Microsoft Tech Community!
