Having a valid SSL certificate is crucial for running Sitecore securely. However, the default self-signed certificates generated during local Sitecore installations expire after one year. Once expired, you'll start seeing errors when trying to access the Sitecore login page or content management interfaces.
Thankfully, renewing Sitecore's expired SSL certificates is straightforward with some key PowerShell commands. In this comprehensive guide, we'll walk through the step-by-step process to:
- Check and remove any expired certificates
- Generate new self-signed certificates
- Assign the certificates to the appropriate IIS sites and application pools
- Update configurations to use the new certificate thumbprints
After following these steps, your local Sitecore instance will once again have valid SSL certificates enabling secure access.
Prerequisites
Before starting, make sure you have:
- Local administrator access to the Sitecore server
- PowerShell 5.1 or later
- SIF module installed
You'll also need to know the names of your Sitecore and xConnect IIS sites. The defaults are typically sc9 and sc9_xconnect.
Find and Remove Expired Certificates
The first step is identifying and removing any expired certificates from the certificate stores.
To see your current certificates, run:
Get-ChildItem Cert:\LocalMachine\MyYou can then filter down to just the expired certs:
Get-ChildItem -Path cert: -Recurse | Where-Object { $_.Thumbprint -like "*D3590ED6A4DCD4BD*" }Once you've identified the expired certificates, remove them by piping the results to Remove-Item:
Get-ChildItem -Path cert: -Recurse | Where-Object { $_.Thumbprint -like "*D3590ED6A4DCD4BD*" } | Remove-ItemRepeat this process for the Cert:\LocalMachine\Root store to remove any outdated root certificates as well.
Generate New Self-Signed Sitecore Certificates
With the old certificates removed, we can now generate new ones with PowerShell and the SIF modules.
To create a certificate for the main Sitecore IIS site (typically sc9), run:
.\Add-SSLSiteBindingWithCertificate.ps1 -SiteName sc9 -Port 443 -HostName sc9.localAnd for xConnect:
.\Add-SSLSiteBindingWithCertificate.ps1 -SiteName sc9_xconnect -HostName sc9_xconnect.localThis will generate new self-signed certificates and automatically assign them to the respective IIS sites.
Generate Client Certificate for xConnect
In addition to the site-level certificates, xConnect also needs a client certificate for authentication. The install-xp0.ps1 script from SIF can handle generating this certificate.
Open the script in an editor, and comment out all sections except for the client certificate part:
# Comment out all sections except:
#region Install Client Certificate For XConnect
Write-Host "Install Client Certificate For XConnect" -ForegroundColor Green
$certParams = @{
Path = "$PSScriptRoot\xConnect-client.pfx"
Password = "test"
}
# Import Certificate
Import-PfxCertificate @certParams
# Give Network Service Permissions
$acl = Get-PfxCertificate -FilePath $certParams.Path
Grant-PermissionToCert $acl.Thumbprint "Network Service"
#endregionSave your changes and run the edited script to generate the new xConnect client certificate.
Update IIS Bindings
At this point, the new certificates are installed but not yet assigned to our IIS sites.
Open IIS Manager, select the Sitecore IIS site (sc9), and go to the Bindings settings. Update the HTTPS binding to use the newly generated cert for the site.
Repeat the same process for the xConnect IIS site to assign its new certificate.
Update Connection Strings and Settings
The last step is to update our configuration files to use the new certificate thumbprints.
In App_Config/AppSettings.config, update the validateCertificateThumbprint setting:
<add key="validateCertificateThumbprint" value="YOUR-NEW-THUMBPRINT" />Then in App_Config/ConnectionStrings.config, update the xConnect collection and certificate thumbprints:
<add name="xconnect.collection" connectionString="https://sc9_xconnect.local" />
<add name="xconnect.collection.certificate" connectionString="StoreName=My;StoreLocation=LocalMachine;FindType=FindByThumbprint;FindValue=YOUR-NEW-XCONNECT-THUMBPRINT"/>That's it! After updating the configs, restart IIS and your local Sitecore instance should now be running with valid SSL certificates again.
Troubleshooting Common SSL Certificate Issues
Here are some common issues and fixes when working with Sitecore certificates:
Sitecore login page doesn't load, getting 403.16 error: This means the client certificate was not assigned permission to the IIS application pool identity. Rerun the Grant-PermissionToCert command to fix.
Invalid client certificate error in logs: The new client certificate thumbprint wasn't updated in xconnect.collection.certificate. Double check the value matches the recently generated cert.
Incorrect SSL validation error: The validateCertificateThumbprint setting wasn't updated with the new Sitecore instance certificate. Verify the thumbprint value is correct.
SSL certificate warning still showing: You may need to close all browsers, clear caches, and restart IIS to fully refresh the new certificates. Also check there aren't old self-signed certs still in the root store.
Conclusion
Keeping Sitecore certificates valid is important for maintaining a secure CMS. This guide provides an easy PowerShell-driven process for regenerating new self-signed certificates and assigning them properly for local Sitecore instances.
With the steps outlined here, you can proactively renew your Sitecore certificates before they expire and avoid disruptions from invalid SSL errors. Automating portions of the renewal process can further simplify keeping your certificates up-to-date.
