SharePoint Workflow Manager: Reset the Certificate Generation Key

Update 4/18/23: This content has been published as “official” documentation on learn.microsoft.com. See Reset Certificate Generation Key for SharePoint Workflow Manager.

The SharePoint Workflow Manager (SPWFM) Certificate Generation Key is similar to the SharePoint farm passphrase in that you need it to join a SPWFM farm. When joining an existing SPWFM farm, for example during an upgrade or migration, the workflow configuration wizard prompts you for it.

If you did not document this key when first configuring the workflow farm, and do not know what it is, you should reset it before you leave the workflow farm.

Important! Resetting the Certificate Generation Key will also result in new Workflow and Service Bus certificates being generated. You will need to take extra steps to make sure the SharePoint servers trust these new certificates. Failure to do so will result in all 2013-platform workflows failing.

Reset the Key

You can use the following PowerShell script to reset the key, but you must run it on a SPWFM server still joined to the workflow farm. If you have multiple nodes / hosts in the workflow farm, it’s recommended that you simplify the process by having the other nodes leave the farm, with only one remaining.

# Just provide the new certificate key here, for example P@ssWord1
# MAKE SURE YOU DOCUMENT THIS KEY SOMEWHERE SO YOU DON'T HAVE TO REPEAT THIS EXERCISE
$CertKey = convertto-securestring "P@ssWord1" -asplaintext -force

### You should NOT have to change anything below this line ###
# Set the key for WF
$WFdb = (get-wffarm).wffarmdbconnectionstring
Set-WFCertificateAutoGenerationKey  -WFFarmDBConnectionString $WFdb -key $CertKey -Verbose
# Force the Update on the WF side
Stop-WFHost
Update-WFHost -CertificateAutoGenerationKey $CertKey
"Starting Workflow Farm.  This could take a few minutes..."
Start-WFHost
# Set the key for SB
$SBdb = (get-sbfarm).SBFarmDBConnectionString 
Set-SBCertificateAutogenerationKey -SBFarmDBConnectionString $SBdb -key $CertKey  -Verbose
# Force the Update on the SB side
Stop-Sbfarm
Update-SBHost -CertificateAutoGenerationKey $CertKey
Write-host "Starting Service Bus Farm.  This could take a few minutes..."
Start-SBfarm
# Some steps you need to take on the SharePoint side
Write-host -ForegroundColor yellow "Exporting the new WF endpoint cert to the current directory.  You MUST install this cert on all SharePoint servers." 
Write-host "$PWD\WFsslCert.cer"
Get-WFAutoGeneratedCA -CACertificateFileName WFsslCert.cer
Write-host -ForegroundColor yellow "AFTER you have installed $PWD\WFsslCert.cer on your SharePoint servers, you must also run the ""Refresh Trusted Security Token Services Metadata feed"" timer job on the SharePoint side to update the Workflow Outbound certificate."

Trust the new certs on the SharePoint side

As mentioned above, resetting the Certificate Generation Key results in new certificates being generated. These are self-signed certificates that your SharePoint servers will not trust. You must take the following steps to make sure your SharePoint servers trust the new certificates.

  1. Trust the new workflow endpoint certificate on all SharePoint servers. You may have noticed that the PowerShell script above exported this certificate to the current directory as “WFsslCert.cer”. That’s the one your SharePoint servers need to trust. Copy it to each SharePoint server and install it to the Trusted Root Certification Authorities store. See Install Workflow Manager certificates in SharePoint for detailed steps.
  2. Refresh the SPTrustedSecurityTokenIssuer by running the RefreshMetadataFeed timer job on any SharePoint server. You can do that with this PowerShell:
 $tj = Get-SPTimerJob | ? {$_.name -match "RefreshMetadataFeed"} 
 Start-SPTimerJob $tj

Add a Comment