Press "Enter" to skip to content

Replacing the Sitecore client certificate on Azure in 5 steps

These instructions are for a Sitecore 9.0.1. XP1 Topology – on Azure.

For using X-connect there is a need of using client certificates.
In Azure these certificates are named private certificates.
Since these certificates expire there is a need to replace them.

To make life easier I will describe this process in the 5 steps underneath:

Step 1
Upload the new certificate (pfx) to Azure using ARM template or portal.

Step 2
Get the thumbprint of the new certificate using powershell or portal:


 $ResourceGroupName = "resourcegroup"
 Get-AzureRmWebAppCertificate -ResourceGroupName $ResourceGroupName

When there are multiple certificates, check the name for the new certificate and add to the $authCertificateName variable below.


 $authCertificateName - "newuploadedcertificatename"
(Get-AzureRmWebAppCertificate -ResourceGroupName $ResourceGroupName | Where-Object {$_.name -eq "$authCertificateName"}).Thumbprint

The thumbprint for the new certificate will be used in all configurable items described below.

Step 3:
App_Config\AppSettings.config

Change the value for the validateCertificateThumbprint key to the new thumbprint for the following roles:

  • xConnect Collection (xc-collect)
  • Marketing Automation Operations (ma-ops)
  • Marketing Automation Reporting (ma-rep)
  • xConnect Reference Data (xc-refdata)
  • xConnect Search Service (xc-search)

<add key=”validateCertificateThumbprint” value=”VALUEOFNEWTHUMBPRINT” />

Step 4
App_Config\Connectionstrings.config

Change the thumbprint(s) within the connectionstrings.config for the following roles:

  • Content Delivery

    xconnect.collection.certificate
    xdb.referencedata.client.certificate
    xdb.marketingautomation.operations.client.certificate

  • Content Management

    xconnect.collection.certificate
    xdb.referencedata.client.certificate
    xdb.marketingautomation.reporting.client.certificate
    xdb.marketingautomation.operations.client.certificate

  • Email Experience Manager – Dedicated Delivery Service

    xconnect.collection.certificate
    xdb.referencedata.client.certificate
    xdb.marketingautomation.reporting.client.certificate
    xdb.marketingautomation.operations.client.certificate

  • Marketing Automation Operations

    xconnect.collection.certificate

  • Processing

    xconnect.collection.certificate

Step 5
App Settings Azure App Services

Within the Azure App Service Application Settings you should define the
new thumbprint as well. This needs to be done for the following server role services:

Content Delivery
Content Management
Email Experience Manager – Dedicated Delivery Service
Marketing Automation Operations
Marketing Automation Reporting
Processing

Change the app setting:
WEBSITE_LOAD_CERTIFICATES —–>  VALUEOFNEWTHUMBPRINT


ERRORS and WARNINGS
that you will/might notice while the certificate and/or configuration has not been set correct:

WARN Could not load device ‘xxx-xxx-xxxx-xxxx’ from the device dictionary.
Message: Ensure definition type did not complete successfully. StatusCode: 401, ReasonPhrase: ‘Invalid certificate’, Version: 1.1, Content: System.Net.Http.StreamContent, Headers:

ERROR Cannot process ‘ProcessSubscriptions’ processor because of internal error
Message: Ensure definition type did not complete successfully. StatusCode: 401, ReasonPhrase: ‘Invalid certificate’, Version: 1.1, Content: System.Net.Http.StreamContent, Headers:

ERROR Cannot start analytics Tracker
Ensure definition type did not complete successfully. StatusCode: 401, ReasonPhrase: ‘Invalid certificate’, Version: 1.1, Content: System.Net.Http.StreamContent, Headers:

ERROR Cannot process ‘ProcessSubscriptions’ processor because of internal error
Message: The certificate was not found


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.