March 1, 2020

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

  1. Below are the steps for a 1 Node WFM farm using WFM/SB certificate generation key – resetting expired certificate process:


    First, some quick notes:

  • NOTE:  Ensure you have credentials for WFM Run-As service account and WFM passphrase for generated certificate.
  • NOTE:  If you have a 3 node WFM farm, then you will need to have WFM2 and WFM3 leave the WFM farm once you have changed the system date and time for all 3 nodes and then run Workflow Manager Configuration Wizard to leave farm.
  • NOTE: If the WFM passphrase is not known, step 6 will allow you to change WFM passphrase as long as you are part of the WFM farm
  • NOTE:  If you are running CA-Cert, you’ll follow the same process to change system date and time, and then follow below article to change to new certificate thumbprints – note new certificate requires to be created prior to expiration date:

    1. In order to reset generation key for WFM and SB the following steps needs to be done on the WFM node(s): System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)
      • Stop Windows Time Service
      • Change System date and clock to Day before certificate expired (in this example, the cert expired on November 21st, 2024)
    1. Steps to follow once System date and time has been set prior to expiration date: 
      • Output workflow manager PowerShell commands to clipboard and paste to notepad:
        TIP: Use “|clip” parameter to output results to clipboard and then paste to notepad
        • Get-WFFarm | clip
        • Get-SBFarm | clip
        • Get-SBNamespace |clip
          • NOTE: The “Get-SBNamespace” command will list ManageUser accounts – one of those accounts should be the logon credentials used. Account should have the required SQL permissions to reset expired certificates.
      • Run below commands (after reverting the date and time, all services should display as “Running” before proceeding to next steps:
        • Get-WFFarmStatus
        • Get-SBFarmStatus – There are scenarios where Service Bus Message Broker service will get stuck at “Starting”, regardless continue to next step
      • From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint:
        • $wfProxy = Get-SPWorkflowServiceApplicationProxy
          $wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))
      • Run below WFM PowerShell command to change passphrase and thumbprints:
        • Run these commands to set the Certificate keys:
          • $CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;
            Set-WFCertificateAutoGenerationKey –Key $CertKey
            Set-SBCertificateAutogenerationKey –Key $CertKey
        • Then run the below commands:
          • Stop-SBFarm
          • Update-SBHost
      • Run Workflow Manager Configuration Wizard – we’ll leave WFM farm first and then rejoin WFM farm.  This step is necessary, as when we rejoin the WFM farm later, it will create the new WFOutboundCertificate for us.
        • Steps to leave WFM Farm
          • Open the Workflow Manager Configuration Wizard
          • Choose “Leave Workflow Manager Farm”
          • When the Summary page finishes loading, first be sure to copy the details prior to clicking on the Check Mark in the lower Right corner to start the removal process.  These details will be needed later when we go to rejoin the WFM farm


          • When complete, you can close out of the Wizard by clicking on the Check Mark again.
        • Steps to rejoin WFM Farm
          • Open the Workflow Manager Configuration Wizard
          • Choose “Join an Existing Workflow Manager Farm”
          • Fill out the details on the page, then click the Next arrow
          • Fill out the details on the page, then click the Next arrow
          • Fill out the details on the “Join Service Bus Farm” page, then click the Next arrow
          • Review the Summary page, then click the Check Box to start the configuration
          • When complete, click the Check box
      • Enable Windows Time Service – this will automatically change server back to current date and time
      • Follow the steps from this article:  SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust (Also install to Trusted Root store)
      • Export WFM Client certificate using below command from Workflow Manager Powershell: Get-WFAutoGeneratedCA
        • Above command creates “AutoGeneratedCA.cer” file in path where command was executed – default C:Program FilesWorkFlow Manager1.0
        • Copy “AutoGeneratedCA.cer” file to all SP nodes and Web Frontends – install certificate to Trusted Root Certification Authorities certificate store
          • Copy the file to the SharePoint server(s)
          • Right-click, and select Install Certificate
          • Select “Local Machine” and click Next
          • Select “Place all certificates in the following store”, and then choose “Trusted Root Certification Authorities”, and then choose OK, and NEXT, then FINISH
          • Choose OK to complete
          • Repeat on each SP server
          • Repeat same process on each SP server for the certificate that was trusted into SharePoint Manage Trusts earlier during Step 7.
          • Reset IIS on all SP WFEs
      • Register WFM to SharePoint
        • Sample command:
        • From SharePoint Central Admin, run daily timer “Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]”
          • $tj = Get-SPTimerJob RefreshMetadataFeed
    1. Test one of your 2013 workflows now, and it should complete successfully

The above is kindly provided by the Microsoft Tech Community!

You May Also Like…