none
How can I update Workflow Manager Farm OutboundCertificate?

    Question

  • So I followed the steps written on http://www.harbar.net/articles/wfm3.aspx to update invalid certificates on a Workflow Manager Farm, everything went as Mr. Harbar's post said it would, but then I noticed that the Workflow Farm provides options for changing only the SslCertificate and the EncryptionCertificate and not the OutboundCertificate, ultimately leaving it unchanged.

    My challenges are:

    1. Find a way to update the OutboundCertificate on the Workflow Farm without having to delete all databases (which by the way seems the only option left) or
    2. Understand why the OutboundCertificate is not meant to be changed (or in which case expect it'll never expire) or
    3. Get to know the best practice for this type of configuration.

    Thank you in advance.

    Emilio.

    PS: Service Bus Farm certificates, 2 in total, updated flawlessly.


    • Edited by Emilio León Acta Thursday, August 28, 2014 5:08 PM Added proper post reference
    Thursday, August 28, 2014 5:04 PM

Answers

  • Hi Emilio,

    I have an update, with some good news. The capability to roll the Outbound Signing Certificate was added.
    You can follow the steps in my article series in terms of renewing the Service Bus and Workflow Manager certificates as normal.

    For the Outbound signing certificate, there are two cmdlets which can get you where you need to be.

    Set-WFNextOutboundCertificateReference - pass in the thumbprint of an already installed cert - this tells WFM which cert to use when the roll takes place.

    and

    Set-WFNextOutboundCertificateAsCurrent - which will make the roll happen.

    A little convoluted I know, but it works just fine. I'll be updating my blog series with more details over the next week or so. 


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Thursday, September 11, 2014 2:34 PM

All replies

  • as mentioned in the article:

    "Watch out for the Outbound Signing certificate, as we cannot change from an auto-generated Outbound Signing certificate to a CA issued Outbound Signing Certificate. This is a significant constraint of Workflow Manager configuration, even though we can update the certificate, workflows will get “stuck” in their initial stage after doing so, as the Workflow Manager farm thinks it’s an auto-generated certificate! If your organisational policy dictates that only CA issued certificates should be used,  then you must initially create the Workflow Manager farm with the correct certificates, as detailed in part four."

    it's simply a scenario that wasn't originally tested, and hence the constraint, it would be useful to understand why you have a requirement to change the ob signing cert - as such evidence is valuable  in pushing for fixes in future updates - which in this case would be exposing the configuration to customers via PowerShell

    there's no best practice here, because cert requirements vary wildly


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Friday, August 29, 2014 12:51 AM
  • Thanks for the quick reply Mr. Harbar,

    I'm now going to try to explain the situation at hand:

    1. I used one CA issued certificate to configure all 5 certificate requirements between SB and WF.
    2. Meanwhile the CA got its domain name changed (ex. dc1.fabrikam.com to dc2.fabrikam.com).
    3. This somehow invalidated my certificate since it couldn't found its old CA.
    4. We then renewed the certificate, but this always updates the thumbprint too.
    5. I then decided to upgrade all certificates in SB and WF.
    6. This didn't help, since the OutboundCertificate still points to the old thumbprint of the previous certificate.

    I'm now asking myself, if changing the OutboundCertificate invalidates previous workflows, what happens if:

    1. I have to revoke that certificate for some reason.
    2. I have to renew before/after expiration.

    All of these operations change the thumbprint, hence rendering the WF configuration obsolete.

    Another question of mine is, if I leave it in auto-generated for the OB cert, will the platform handle renewals automatically? (although this is not an option for me since the CA doesn't trust other certificates).


    Emilio León Acta http://iologica.com

    Friday, August 29, 2014 2:01 PM
  • OK, so you have a new CA.

    The bottom line is that updating the ob signing cert is broken (missing) and that's a bug. I raised that many moons ago, and admittedly I haven't kept on top of any progress or otherwise with that. I will try and look into it, but with the build you are running, it's not there.

    If this is a blocking issue for you and you cannot rebuild the WF farm with the correct certificates or auto genned certs, then a PSS Case should be raised, they may be able to give you a workaround and it's exactly this sort of feedback which will lead to problems such as this being resolved.

    This is one of many examples of how the overall certificate management side of things is critical, a change of CA is a pretty serious event (outside the context of a SP and WF deployment alone).

    The WF Manager auto gen certs are valid for five years. you can read between the lines as to what that means with respect to renewals :)


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Friday, August 29, 2014 4:29 PM
  • Hi Emilio,

    I have an update, with some good news. The capability to roll the Outbound Signing Certificate was added.
    You can follow the steps in my article series in terms of renewing the Service Bus and Workflow Manager certificates as normal.

    For the Outbound signing certificate, there are two cmdlets which can get you where you need to be.

    Set-WFNextOutboundCertificateReference - pass in the thumbprint of an already installed cert - this tells WFM which cert to use when the roll takes place.

    and

    Set-WFNextOutboundCertificateAsCurrent - which will make the roll happen.

    A little convoluted I know, but it works just fine. I'll be updating my blog series with more details over the next week or so. 


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Thursday, September 11, 2014 2:34 PM
  • Hi Mr. Harbar,

    Thank you for the follow up and proper solution, this is great news. For safety reasons we'll be sticking with the newly re-created Workflow Manager and Service Bus farms since, as of this writing, our impact on these is considered very fairly low.

    However, I'll be using this to complete some PowerShell scripts I've been working on in order to deliver them to the security team in order for them to do certificate updates whenever they need them.

    Best regards,


    Emilio León Acta http://iologica.com

    Thursday, September 11, 2014 11:52 PM
  • Hi Guys,

    We tried

    Set-WFNextOutboundCertificateReference and Set-WFNextOutboundCertificateAsCurrent.

    Now when we do a Get-WFOutboundCertificate we get the updated one.

    However Get-WFFarm still returns the old one. Quite Strange. 

    Our setup is with one Domain Cert for all purposes. The stop/update/start procedure was followed.

    Does anyone else experience the same?

    Thursday, September 25, 2014 12:04 PM
  • Hello Ivaylo,

    I ran into similar issues as you described above.

    For the same opened a case with Microsoft Premier Support and it has been confirmed that it is a bug and a fix will be released as a part of CU3 for the same.

    So for now if the updated thumbprint is reflected in the Get-WFOutboundCertificate , then you are good to go.

    The workflows will work perfectly.

    Posting it here so that it helps others :D

    Mr. Spence Harbar, your blog is by far the most comprehensive resource I have found on a multiple of SharePoint related stuff. Kudos to you !!

    Cheers!

    Nitin

    Tuesday, August 11, 2015 3:09 AM
  • Hi Mr. Harbar

    could you help me out?  I think I missed something or because I have multiple WFM servers.  

    I followed this as the current certificate already expired.
    I got a new certificate and the thumbprint EA1009644FB03923241E53638581F54A5CB615E

    On my farm, I used 3 SharePoint App servers as WFM manager servers:

    SPIEAPP1, SPIEAPP2, SPIEAPP3 and ServiceUri :  'https://workflow.abvtc.com:12290'

    I followed and issued the PS cmdlets as follows:

    On SPIEAPP1,

    1. Set-WFNextOutboundCertificateReference
       -Thumbprint 7ea1009644fb03923241e53638581f54a5cb615e -ServiceUri 'https://workflow.abvtc.com:12290'

    Succeed.  No error.

    then

     2. Set-WFNextOutboundCertificateAsCurrent  -ServiceUri  'https://workflow.abvtc.com:12290'

    but got the output error.

    Set-WFNextOutboundCertificateAsCurrent : Cannot set the 'Next' outbound
    certificate as current because 'Next' certificate hasn't been configured in
    the SigningCertificateReferences configuration. HTTP headers received from the
    server - ActivityId: e856a2df-9a4d-413b-9f96-f270da6f800e. NodeId:
    SPIEAPP2. Scope: /. Client ActivityId :

    =====
    when I run this on each of the WFM servers: SPIEAPP1, SPIEAPP2, SPIEAPP3

    the result show the new certificate thumbprint correct.

    Get-WFOutboundCertificate -ServiceUri 'https://workflow.abvtc.com:12290'

    Thumbprint                                Subject
    ----------                                -------
    7EA1009644FB03923241E53638581F54A5CB615E  CN=*.ABVTC.com, OU=ABVTC, O...

    beside from the above,  I have not changed IIS binding to the new certificate or do an IIS reset on each WFM server yet.   Should I need to do that?

    Thanks in advance for your advices.


    Swanl


    • Edited by swanl98 Monday, March 19, 2018 7:58 PM added more information
    Monday, March 19, 2018 7:52 PM