none
How can I update Workflow Manager Farm OutboundCertificate?

    Question

  • So I followed the steps written on http://www.harbar.net/articles/wfm3.aspx to update invalid certificates on a Workflow Manager Farm, everything went as Mr. Harbar's post said it would, but then I noticed that the Workflow Farm provides options for changing only the SslCertificate and the EncryptionCertificate and not the OutboundCertificate, ultimately leaving it unchanged.

    My challenges are:

    1. Find a way to update the OutboundCertificate on the Workflow Farm without having to delete all databases (which by the way seems the only option left) or
    2. Understand why the OutboundCertificate is not meant to be changed (or in which case expect it'll never expire) or
    3. Get to know the best practice for this type of configuration.

    Thank you in advance.

    Emilio.

    PS: Service Bus Farm certificates, 2 in total, updated flawlessly.


    • Edited by Emilio León Acta Thursday, August 28, 2014 5:08 PM Added proper post reference
    Thursday, August 28, 2014 5:04 PM

Answers

  • Hi Emilio,

    I have an update, with some good news. The capability to roll the Outbound Signing Certificate was added.
    You can follow the steps in my article series in terms of renewing the Service Bus and Workflow Manager certificates as normal.

    For the Outbound signing certificate, there are two cmdlets which can get you where you need to be.

    Set-WFNextOutboundCertificateReference - pass in the thumbprint of an already installed cert - this tells WFM which cert to use when the roll takes place.

    and

    Set-WFNextOutboundCertificateAsCurrent - which will make the roll happen.

    A little convoluted I know, but it works just fine. I'll be updating my blog series with more details over the next week or so. 


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Thursday, September 11, 2014 2:34 PM

All replies

  • as mentioned in the article:

    "Watch out for the Outbound Signing certificate, as we cannot change from an auto-generated Outbound Signing certificate to a CA issued Outbound Signing Certificate. This is a significant constraint of Workflow Manager configuration, even though we can update the certificate, workflows will get “stuck” in their initial stage after doing so, as the Workflow Manager farm thinks it’s an auto-generated certificate! If your organisational policy dictates that only CA issued certificates should be used,  then you must initially create the Workflow Manager farm with the correct certificates, as detailed in part four."

    it's simply a scenario that wasn't originally tested, and hence the constraint, it would be useful to understand why you have a requirement to change the ob signing cert - as such evidence is valuable  in pushing for fixes in future updates - which in this case would be exposing the configuration to customers via PowerShell

    there's no best practice here, because cert requirements vary wildly


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Friday, August 29, 2014 12:51 AM
  • Thanks for the quick reply Mr. Harbar,

    I'm now going to try to explain the situation at hand:

    1. I used one CA issued certificate to configure all 5 certificate requirements between SB and WF.
    2. Meanwhile the CA got its domain name changed (ex. dc1.fabrikam.com to dc2.fabrikam.com).
    3. This somehow invalidated my certificate since it couldn't found its old CA.
    4. We then renewed the certificate, but this always updates the thumbprint too.
    5. I then decided to upgrade all certificates in SB and WF.
    6. This didn't help, since the OutboundCertificate still points to the old thumbprint of the previous certificate.

    I'm now asking myself, if changing the OutboundCertificate invalidates previous workflows, what happens if:

    1. I have to revoke that certificate for some reason.
    2. I have to renew before/after expiration.

    All of these operations change the thumbprint, hence rendering the WF configuration obsolete.

    Another question of mine is, if I leave it in auto-generated for the OB cert, will the platform handle renewals automatically? (although this is not an option for me since the CA doesn't trust other certificates).


    Emilio León Acta http://iologica.com

    Friday, August 29, 2014 2:01 PM
  • OK, so you have a new CA.

    The bottom line is that updating the ob signing cert is broken (missing) and that's a bug. I raised that many moons ago, and admittedly I haven't kept on top of any progress or otherwise with that. I will try and look into it, but with the build you are running, it's not there.

    If this is a blocking issue for you and you cannot rebuild the WF farm with the correct certificates or auto genned certs, then a PSS Case should be raised, they may be able to give you a workaround and it's exactly this sort of feedback which will lead to problems such as this being resolved.

    This is one of many examples of how the overall certificate management side of things is critical, a change of CA is a pretty serious event (outside the context of a SP and WF deployment alone).

    The WF Manager auto gen certs are valid for five years. you can read between the lines as to what that means with respect to renewals :)


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Friday, August 29, 2014 4:29 PM
  • Hi Emilio,

    I have an update, with some good news. The capability to roll the Outbound Signing Certificate was added.
    You can follow the steps in my article series in terms of renewing the Service Bus and Workflow Manager certificates as normal.

    For the Outbound signing certificate, there are two cmdlets which can get you where you need to be.

    Set-WFNextOutboundCertificateReference - pass in the thumbprint of an already installed cert - this tells WFM which cert to use when the roll takes place.

    and

    Set-WFNextOutboundCertificateAsCurrent - which will make the roll happen.

    A little convoluted I know, but it works just fine. I'll be updating my blog series with more details over the next week or so. 


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Architect | SharePoint
    Microsoft Certified Solutions Master | SharePoint
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007

    Thursday, September 11, 2014 2:34 PM
  • Hi Mr. Harbar,

    Thank you for the follow up and proper solution, this is great news. For safety reasons we'll be sticking with the newly re-created Workflow Manager and Service Bus farms since, as of this writing, our impact on these is considered very fairly low.

    However, I'll be using this to complete some PowerShell scripts I've been working on in order to deliver them to the security team in order for them to do certificate updates whenever they need them.

    Best regards,


    Emilio León Acta http://iologica.com

    Thursday, September 11, 2014 11:52 PM
  • Hi Guys,

    We tried

    Set-WFNextOutboundCertificateReference and Set-WFNextOutboundCertificateAsCurrent.

    Now when we do a Get-WFOutboundCertificate we get the updated one.

    However Get-WFFarm still returns the old one. Quite Strange. 

    Our setup is with one Domain Cert for all purposes. The stop/update/start procedure was followed.

    Does anyone else experience the same?

    Thursday, September 25, 2014 12:04 PM
  • Hello Ivaylo,

    I ran into similar issues as you described above.

    For the same opened a case with Microsoft Premier Support and it has been confirmed that it is a bug and a fix will be released as a part of CU3 for the same.

    So for now if the updated thumbprint is reflected in the Get-WFOutboundCertificate , then you are good to go.

    The workflows will work perfectly.

    Posting it here so that it helps others :D

    Mr. Spence Harbar, your blog is by far the most comprehensive resource I have found on a multiple of SharePoint related stuff. Kudos to you !!

    Cheers!

    Nitin

    Tuesday, August 11, 2015 3:09 AM