Renew Sitecore Client Certificate for Sitecore 10 PaaS


Renew Sitecore Client Certificate for Sitecore 10 PaaS

With Sitecore 9 and above, all the communications between Sitecore roles happens over Https. This means we need SSL certificates for all the roles. In local we can do this with self signed certificates, but on production these needs to be valid SSL Certificates.

The second layer of Sitecore security is SSL Client certificate on xConnect server. This means we need to install SSL Client certificate on xConnect server, and all the XP roles(CM, CD, Processing, Reporting, Marketing operations, Marketing reporting, Reference Data, XC Search and Cortex) which talks to xConnect roles needs to specify the thumbprint while talking to xConnect role.

For local/DEV purposes, Sitecore provides a config attribute to allow self-signed certificates. If you find certificate issues locally or dev, enable this config on xConnectWebRoot/App_Config/AppSettings.config

<add key="AllowInvalidClientCertificates" value="true" />

Coming to renewing this certificate we need to make changes in number of places to make renew this properly.

Firstly, upload the new certificate to xConnect and remove the old one. Get the thumbprint of the certificate.

Update each role:

cm: webroot/App_Config/ConnectionStrings.config

cd: webroot/App_Config/ConnectionStrings.config

si: webroot/config/production/Sitecore.IdentityServer.Host.xml

prc: webroot/App_Config/ConnectionStrings.config

rep: N/A

xc-collect: webroot/App_Config/AppSettings.config

xc-search: webroot/App_Config/AppSettings.config 

xc-refdata: webroot/App_Config/AppSettings.config

ma-ops:  webroot/App_Config/ConnectionStrings.config && webroot/App_Config/AppSettings.config

ma-rep: webroot/App_Config/AppSettings.config

cortex processing : webroot/App_Config/AppSettings.config && webroot/APP_DATA\Jobs\Continous\ProcessingEngine\APP_CONFIG\ConnectionStrings.config

cortex processing reporting : webroot/App_Config/AppSettings.config 

For all the above roles except for xc-collect add WEBSITE_LOAD_CERTIFICATE value to the thumbprint. 


Hope that renews the xConnect client certificate with out any errors on other roles. Let me know if I miss anything.