For first versions of Sitecore 9.0 xConnect certificate and client certificate are set to expire each year.
For next versions of Sitecore 9, the certificates are set to expire each 2 year.
I guess everybody knows by now that if you do not have a valid certificate for xConnect or is expired, Sitecore Analytics does not work anymore, and you get all kind of errors in log files.
When it comes to Sitecore certificates and xConnect we are talking about two types of certificates.
A server certificate
Server Certificates are basically used to identify a server. Characteristically this certificate is issued to the hostnames, which could be a host reader – for example Microsoft or any machine name.
A client certificate
Client certificates as the name implies are clearly used to identify a client to a respective user, which means authenticating the client to the server.
A server certificate can be used as a client certificate, especially if the ‘server’ is not public and is visible only for the client. A certificate authority can use extensions to issue a certificate for a specific purpose or multiple puposes:
• anyExtendedKeyUsage (OID 2.5.29.37.0)
• Server Authentication (OID 1.3.6.1.5.5.7.3.1)
• Client Authentication (OID 1.3.6.1.5.5.7.3.2)
• Code Signing (1.3.6.1.5.5.7.3.3)
Make sure you delete expired Sitecore certificates from Local Computer certificate store – makes things much easier moving forward.
To renew xConnect server certificate, use the following PowerShell script that actually creates a new certificate for your domain:
1 | New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "site-prefix.local" -FriendlyName "site-prefix.local" -NotAfter $( [datetime] ::now.AddYears(5)) |
The certificate should be visible in IIS and you can assign it to the xConnect website binding.
To renew xConnect client certificate, run the following PowerShell script that runs only the create certificate SIF part from a Sitecore installation. I used a Sitecore 9.2 script to take advantage of the 2 year validity period for my certificate.
1 2 3 4 5 6 7 8 9 10 11 | Import-Module SitecoreInstallFramework $prefix = "site-prefix" $PSScriptRoot = "d:\Sitecore\Installation Scripts\Sitecore 9.2.0\" $XConnectCollectionService = "site-prefix.xconnect" #install client certificate for xconnect $certParams = @{ Path = "$PSScriptRoot\createcert.json" CertificateName = "$prefix.xconnect_client" } Install-SitecoreConfiguration @certParams -Verbose |
If you did not run the scripts on the server where it is needed you can export both certificates and import them on the server where xConnect is hosted.
Once the certificates are installed on the right server – I used mine for a Sitecore 9.0 installation, make sure you assign the correct right to the client certificate:
- xConnect application pool user
- CM application pool user
If your websites application pools use NetworkService as identity and not ApplicationPoolIndentity, add access for NetworkService.
This can be done from Local Computer certificates store using right click on the certificate and choose Manage Private Keys.
Next, we need to move any non-self-signed certificates from Personal location to Intermediate Certification Authorities store, run the following PowerShell commands:
1 2 3 | Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object { $_ .Issuer -ne $_ .Subject} Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object { $_ .Issuer -ne $_ .Subject} | Move-Item -Destination Cert:\LocalMachine\CA |
The certificates should be good to use now. Server certificate must be associated with https xConnect binding.
From client certificate, take certificate Thumbprint and update old Thumbprint in CM connection string:
Website\App_Config\ConnectionStrings.config
and xConnect application settings:
Website.xconnect\App_Config\AppSettings.config
You may need to restart Sitecore websites for all changes to be reloaded. I made sure with iisreset command everything was up and running.