Reissue Sitecore Certificates

Posted by


There are numerous reasons why you would need to reissue your local Sitecore env. certificates and those can be:

  • Current Certificate are no longer valid (date expiration)
  • Deletion of current certificates (troubleshooting env…)

In basics, Sitecore env. from version 9.0 have multiple applications in their combined system layout.  In simplest deployment layout you will now have seperate xDB application plus Identity application (xDB/xConnect application will be your Analytics application while Identity application handles security). 

Even with simplest layout, described above, applications need to “talk” with each other in secure manners. This is where following areas come in place:

  • SSL 
    • server-to-server or app-to-app communication has Secure Sockets Layer which allow different services on either end to communicate securely 
  • Server Authentication
    • encryption of traffic using SeS certificates and private key
  • Client Certificate Authentication
    • encryption of traffic using CeS certificates and private key

So, as you can see, each application is secured and if it wants to communicate with each other they need to “prove” to each other that they indeed have rights to “talk” to them.

On a default local env. installation, in XPO (all-in-one layout) you will have a total of 3 certificates:

  • Server-Side (SeS) Certificate
    • used for Server Auth.
  • Client-Side (CeS) Certificate
    • used for Client Auth.
  • Root Certificate
    • This is “master” certificate which grants validity to other certificates

There’s limited interaction to User it self, during the installation, where User can interfere with this process. Installation will create Private Keys for Certificates and Certificate data (like Store and Thumbprint) will be copied over to application configs file during the installation process. 

Reissuing Sitecore Certificates

  1. Run PowerShell script

In any case, if your instance is not working, or you have deleted “old” certificates, we will no longer need them. If you have them, and you want to have a “clean state” in your Certificate Stores, you can go ahead and clean “old” Sitecore Root Certificate alongside instance server-side and client-side certificate. 

Be very careful when deleting Sitecore’s Root Certificate. In most cases you will have multiple ones. For each new instance of Sitecore you will have one Root Certificate. If you delete the wrong one, you could break other env. you have on your Local Machine. 

SCRIPT NAMECreate_Sitecore_Certs.ps1
HOW TO USEOpen Powershell ISE as AdministratorCreate new script (first button on the toolbar)Copy/paste the script from here to Powershell ISEAdjust the values in the scriptRun the script (F5 or green “play” button on the toolbar)
COMMENTSThis script will create and import into Certificates Store 4 new certificates:RootSeSCeSIeS
#=====================================================================## This will create Sitecore’s Root Certificate alongside with 3 other# certificate: SeS, CeS and Identity ## Editable fields (in multiple places in the script):#         – NotAfter – change time period for validity of certificate#         – DnsName – change first strip to your instance shortcut#         – FriendlyName  – change first strip to your instance shortcut##=====================================================================
$rootcertificateparams = @{     DnsName = “CP Sitecore Development Root”     KeyLength = 2048    KeyAlgorithm = ‘RSA’    HashAlgorithm = ‘SHA256’    KeyExportPolicy = ‘Exportable’     NotAfter = (Get-Date).AddYears(2)     CertStoreLocation = ‘Cert:\LocalMachine\My’     KeyUsage = ‘CertSign’,’CRLSign’ } 
$rootCA = New-SelfSignedCertificate @rootcertificateparams 
$webparams = @{     DnsName = “cpdevlocal”     FriendlyName = “CP Sitecore Website”     Signer = $rootCA     KeyLength = 2048    KeyAlgorithm = ‘RSA’    HashAlgorithm = ‘SHA256’    KeyExportPolicy = ‘Exportable’     NotAfter = (Get-Date).AddYears(2)     CertStoreLocation = ‘Cert:\LocalMachine\My’ } 
$webCert = New-SelfSignedCertificate @webparams 
$commerceparams = @{     DnsName = “localhost”      FriendlyName = “CP Sitecore Commerce and Identity Server”      Signer = $rootCA      KeyLength = 2048     KeyAlgorithm = ‘RSA’     HashAlgorithm = ‘SHA256’     KeyExportPolicy = ‘Exportable’      KeySpec = ‘Signature’      NotAfter = (Get-Date).AddYears(2)      CertStoreLocation = ‘Cert:\LocalMachine\My’  } 
$commerceCert = New-SelfSignedCertificate @commerceparams
$connectparams = @{     DnsName = “cpdevlocal.xconnect”     FriendlyName = “CP Sitecore xConnect”     Signer = $rootCA     KeyLength = 2048    KeyAlgorithm = ‘RSA’    HashAlgorithm = ‘SHA256’    KeyExportPolicy = ‘Exportable’     NotAfter = (Get-Date).AddYears(2)     CertStoreLocation = ‘Cert:\LocalMachine\My’ } 
$connectCert = New-SelfSignedCertificate @connectparams

Export and Re-Import Root Certificate

If we take a look at the script for a second, you will see that Location in which certificates will be created is LocalMachine. This means we will have our certificates in Computer Certificates

In Windows just search for Computer Certificates. Example:

Once you have Computer Certificate Panel opened up you will see list of “folders” on the left side. Something like this:

We want to go to Personal -> Certificates 

In there, on the right side, you will see a list of multiple certificates, ranging from certificates from you PC, other applications, other Sitecore instances etc. We are interested in the one we created above. If you look at the script and the notes, name for each of the certificates is descriptive. 

Here we have 4 certificates that script should have created. For this step we are interested in the Sitecore Development Root certificate. At the moment he is stored under Personal certificates. We need to move it to Trusted Root Certification Authorities which will give him proper validity upon other certificates. Follow these steps to do that:

  1. Right click the Root Certificate (Sitecore Development Root), and then choose All Tasks > Export
  2. Step through the Certificate Export Wizard with the following options:
    1. Yes, export the private key 
    2. Choose Personal Information Exchange with Include all certificates in the certification path if possible  and Enable certificate privacy
    3. Check the Password checkbox
      1. For password enter secret (into Password and Confirm Password)
    4. Encryption option set to AES256-SHA256
    5. Choose the location to store the certificate on your local hard drive and the file name. You can name it whatever you want, this is just a temporary file from which you will import the certificate in the next step.

Now we need to switch to Trusted Root Certification Authorities in our Computer Certificate Panel and do an import of the certificates we just exported (Root Certificate). Follow these steps to do that:

  1. Go to Trusted Root Certification Authorities -> Certificates
  2. Right click -> All Tasks > Import…
  3. Choose the certificate we exported in previous step
  4. Under Password input secret
  5. Leave other options as they are
  6. “Place all certificates in the following store” should be set to Trusted Root Certification Authorities
  7. Click Finish
  1. Apply Full Rights to client and server side certificates

For this step we will switch back to Personal -> Certificates in our Computer Certificate Panel.

Locate your client and server side certificates (example – devlocal  and devlocal.xconnect). 

Let’s apply proper rights to them. Follow these steps to do that:

  1. Right click on the certificate
  2. All Tasks -> Manage Private Keys
  3. On Security window click Add…
    1. copy/paste the user names into the dialog window and click “Check Names”
    2. if everything is okay click OK
  5. Make sure all of the Users have Full Control enabled

Repeat process for all certificates needed. In XPO we need to do this for client-side certificate and server-side certificate.

  1. Edit IIS Site settings

In XP0 layout of our Sitecore instance, there is just one place where we need to change the certificate which site will be using and that’s xconnect.

  1. Go to IIS Manager and locate your Sitecore’s instance xconnect site. 
  2. Right click ->  Edit Bindings
  3. Choose https binding -> Edit
  4. SSL Certificate should be set to devlocal.xconnect certificate which should be an option in the droplist, or when you click “Select” button
  1. After you select the certificate click “View” button, go to Details tab and copy the value of “Thumbprint” field (you’ll need it in the next step).
  1. Click OK, OK, to confirm your selection. If some warning dialog appears – confirm that you want to accept the change.

  1. Edit Sitecore configuration files

In this final step what’s left is to update configuration files in Sitecore to reflect new Store Location and Thumbprint value.  As the location didn’t change we only need to update Thumbprint value. But make sure if your previous certificate location was at User level to reflect that change in configuration.

Use something like, or your favorite text editor to convert the Thumbprint string (which you have in the clipboard from the previous step) to all-uppercase (because Sitecore always puts it into config files as uppercase).

Change Thumbprint value in following files:

Instance:Sitecore XPO; Authoring
File Location(s):…\App_Config\ConnectionStrings.config

Instance:Sitecore XConnect
File Location(s):…<instance>.xconnect\App_Config\AppSettings.config…<instance>.xconnect\App_data\jobs\continuous\AutomationEngine\App_Config\ConnectionStrings.config

Do a simple replace of old Thumbprint with a new Thumbprint value. Example:

Don’t forget to recycle your instances app pools and restart the applications.

Your instance should now work without any problems. At least, analytics part. You can check that by going into Sitecore and opening up Experience Profile and/or Experience Analytics. 

Both of those should open up and display data (if there is some data – there could be none if it’s a new instance). No errors should be displayed in either of those areas.