Update the certificates in Sitecore 9.3

When the certificates added to the binding of your websites and the supporting website expires, you will see different error popping in Sitecore Analytic dashboard as the connection to the xConnect is broken.

We faced something recently and thought I will jot down notes for self.

Steps to follow:

  1. Install the certificate on the respective Servers (We had wildcard certificate so installed it on CM and CD Servers)
  2. Add the certificate to the website’s binding in the IIS server.
  3. Note down the thumbprint of the certificate.
  4. Open the ConnectionStrings.config in the Sitecore Website and update the thumbprint for following fields:
    a. sitecore.reporting.client.certificate
    b. xconnect.collection.certificate
    c. xdb.marketingautomation.operations.client.certificate
    d. xdb.marketingautomation.reporting.client.certificate
    e. xdb.referencedata.client.certificate
  5. Open the Sitecore.IdentityServer.Host.xml under Production folder in the Identity Server and update the Certificate Thumbprint.
  6. Open the AppSettings.config in xConnect and update the below field:
    a. validateCertificateThumbprint
  7. Now we need to update the thumbprint for MarketingAutomation service which sits in the App_Data of the xConnect.
  8. Open the ConnectionStrings.config of MA and update the thumbprint value in below field:
    a. xconnect.collection.certificate
  9. Similarly for the IndexWorker and Process Engine.

Once you are done with these steps and recycled the app-pool, you will feel that you are done with the updates but when you login to Sitecore Launchpad and navigate to the Analytics, it will show the errors.

This is because we didn’t add IIS_USRS group to the certificate. You can follow the steps in the answer to grant this permission here.

Also one point, you will need to restart all 3 services to reflect the new thumbprint.

If you are using Core servers for CD then use below PS script to add this permissions.

Import-Module WebAdministration
$siteName = '<Binding Name>'
$binding = (Get-ChildItem -Path IIS:SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl("Access")
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
Set-Acl -Path $keyFullPath -AclObject $acl

Reference Links:


Hope it helps..

Thank you.. Keep Learning.. Keep Sitecoring.. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s