“Why did all your SharePoint 2013 workflows stop immediately?” If this particular question causes you to scratch your head, then most likely it’s because your Workflow Manager certificates have expired. This is a very common (and frustrating) scenario that shows itself quietly, until workflows are broken, users are logging support tickets, and your logs have unrecognizable token or SSL errors!
Workflow Manager is the heart and soul of SharePoint 2013, 2016, and 2019 workflows. It is responsible for managing the execution, the communication, and the security of every automated process you create, use, and rely on every day. Like many secure and secure-enabled environments, Workflow Manager relies on certificates. On the other hand, certificates will eventually expire. In case you are unaware of how to replace them properly, then you’ll be stuck looking for a solution!
Unfortunately, the signs of expired certificates are quite serious and there is a need for SharePoint Workflow Manager certificate renewal! Workflows may fail to start, authentication errors may appear, and the SharePoint-hosted workflow pages may be throwing errors. The reality is that in 2025, there will still be older environments to manage with little (to no) official support. So having this knowledge available on replacing the certificates appropriately is much needed!
This guide will take you through a step-by-step approach to replace expired WFM certificates, without breaking your SharePoint farm, so you can have your workflows up and running again! Let’s explore!
Understand the Scenario: What You’re Up Against
Before we jump right into the fixes, it is important to understand what is happening behind the scenes. Also, it is necessary to know why expired certificates in Workflow Manager (WFM) can cause your SharePoint workflows to stop completely.
Workflow Manager can be configured in a number of different ways. In a smaller environment it could run on a single-node configuration with a single server that runs all workflows. Whereas in a larger more high-availability environment, you could have a multi-node configuration and conduct “load balancing”.
It means you are typically talking about a three-node WFM farm, with each node processing workflows. But regardless of which implementation of WFM you work with, all WFM farms use certificates to facilitate secure communications (internally) between nodes and (external) communications to SharePoint. To reset Workflow Manager certificate SharePoint, one may find it difficult but it is the need!
When these certificates expire then SharePoint can no longer trust WFM to execute the workflows. Hence:
- Workflows completely stop working!
- You will be able to see token-related or SSL trust errors in your ULS logs or event viewer.
- You will start to see calls between SharePoint and WFM failing silently or generating generic authentication errors.
In extreme scenarios related to SharePoint 2019 expired certificate fix, admins will choose to revert the system clock to a time prior to the certificate expiration just to buy some time. While this is a fun trick to restore workflows, it is not a real fix and can create other system problems. Therefore, the ideal solution is to upgrade the expired certificates step by step.
Prerequisites & Prep Work
Before you replace expired Workflow Manager certificates, there are some important things you need to prepare. It is because one or two missing pieces in this step can mean delays and more potential for problems in your SharePoint environment.
First, make sure that you have the proper credentials:
- You will need access to the Workflow Manager Run-As service account that was used during the WFM setup. You will need it to make the secure configuration changes for your certificates in the Workflow Manager.
- Additionally, you also need the original Workflow Manager passphrase. This passphrase is used when the certificates were generated and is needed to reset them. However, if you lost, Workflow Manager passphrase reset is possible with a few more steps!
- Also, if you are working on a multi-node WFM farm (i.e. three-node farm), it is advisable that you remove or shutdown the secondary nodes before you proceed. This will ensure that there are no sync issues and your updates will be limited to one active node.
Then, make a complete backup of:
- The Workflow Manager and Service Bus SQL databases, and
- Any configuration files or scripts that you have used in the past.
- Finally, communicate with your team or clients to ensure they are aware of potential downtime. Even if workflows will be able to resume quickly, it is possible for there to be a moment of interruption to set expectations and so you can schedule the maintenance when it is least bothering.
Step By Step Process
Step 1: Roll Back the System Time
First, you’ll want to fool Workflow Manager into thinking that the expired certificate is still valid. On the Workflow Manager server:
- Stop the Windows Time Service so that time coordination doesn’t revert your changes right away.
- Change the server clock on the Workflow Manager server to one day before the certificate’s expiration date.
If in a virtual enviroment and time resets to the original value:
- Disable host-level or hypervisor time sync.
- Verify that the time change actually stays.
This might feel a little hacky, but it is needed. Workflow Manager will not allow certificate updates if it detects that now-expired cert even if it is not in the correct period. This is just a temporary measure to obtain access but don’t leave the server in this state any longer than you have to!
Step 2: Reset Certificate Generation Key
Next, reset the key for cert auto-generation. To do this, use PowerShell on your active WFM node this way:
$CertKey = ConvertTo-SecureString “YourPassphrase” -AsPlainText -Force
$WFdb = (Get-WFFarm).WFFarmDBConnectionString
Set-WFCertificateAutoGenerationKey -WFFarmDBConnectionString $WFdb -Key $CertKey -Verbose
Stop-WFHost
Update-WFHost -CertificateAutoGenerationKey $CertKey
Start-WFHost
$SBdb = (Get-SBFarm).SBFarmDBConnectionString
Set-SBCertificateAutogenerationKey -SBFarmDBConnectionString $SBdb -Key $CertKey -Verbose
Stop-SBFarm
Update-SBHost -CertificateAutoGenerationKey $CertKey
Start-SBFarm
At this stage, you created brand new self-signed certs for Workflow Manager and Service Bus with your passphrase. So make sure you securely write down your passphrase for future use!
Step 3: Leave and Rejoin the Workflow Manager Farm
New certs require the WFM farm to be left and subsequently joined. To do so:
- Start the Workflow Manager Configuration Wizard and select, “Leave Workflow Manager Farm” to leave the farm.
- Prior to completing the removal step, you need to accurately note all the settings from the summary page. You must take note of the following: database names, service accounts, the ports, and security settings that were noted.
- When finished exiting the WFM farm, run the Config Wizard again but select “Join an Existing Workflow Manager Farm” this time.
- Fill in the information you noted to re-join the WFM farm. This information includes: SQL instance names, WFM farm credentials, Service Bus settings, and Certificate Generation Key notated in the previous step.
- Upon rejoining, it creates a new WFOutboundCertificate and will ensure the environment is using the new SSL certificates.
Step 4: Restore Time and Reactivate Time Sync
Certificates are now regenerated:
- Restore Windows Time Service, and correct time back on the system.
- Verify the Workflow Manager and ensure Service Bus services are running accurately.
- If using multiple nodes, allow others to re-sync time and rejoin the farm by taking the same steps. With time corrected, your environment will be ready to move forward with no further risk of time issues.
Step 5: Export and Trust the New Certificate in SharePoint
The new certificate must be trusted by SharePoint:
On the WFM server, run:
Get-WFAutoGeneratedCA -CACertificateFileName WFsslCert.cer
- This exports the certificate to a file called WFsslCert.cer.
- Copy the WFsslCert.cer file to each SharePoint server in your farm.
- Add the certificate to the Trusted Root Certification Authorities store using the certificate console.
- Finally run the “RefreshMetadataFeed” timer job, this will refresh SharePoint to trust the new WFM endpoint for token validation:
$tj = Get-SPTimerJob | ? { $_.Name -match “RefreshMetadataFeed” }
Start-SPTimerJob $tj
- “` :contentReference[oaicite:5]{index=5}
Step 6: Re-register Workflow Service & Refresh Token Metadata
To re-establish the binding between SharePoint and Workflow Manager:
- Open SharePoint Management Shell with administrator credentials.
Register-SPWorkflowService -SPSite “https://your-site” -WorkflowHostUri “https://wf-host:12290” -AllowOAuthHttp -Force - Make sure to use your site’s URL and wf-host URI within your environment.
- Re-run the RefreshMetadataFeed timer job to ensure SharePoint has the new certificate thumbprint for validation and signing of tokens.
- This ensures token signing and validation now function with the brand new certificate.
Step 7: Validate the Workflow Handler
Lastly, check whether workflows are again running as intended:
- If possible, push a known workflow from SharePoint’s list or document library.
- Confirm that it completes as expected, with no signs of having faced an SSL trust or token error.
If you see errors:
- Examine IIS logs, Windows Event Viewer and or Service Bus logs for messages like “SSL policy error” or “Invalid token signature”.
- Confirm that the Service Bus Message Broker and Gateway services are running. It is relevant to Service Bus certificate replacement SharePoint!
- Consider re-creating the passphrase or re-running the certificate generation, particularly if the farm had not been updated correctly.
- In the most chronic errors, some admins recommend just fully recreating the WFM farm using some disaster recovery method.
Troubleshooting & Tips
If you bump into a wall because you don’t know or forgot the original Workflow Manager passphrase, don’t worry! You can always use the WFM/MSB certificate generation key reset method using PowerShell. Here, PowerShell WFM certificate renewal means you can define a new key to recreate certificates, even if you don’t have the old passphrase!
If you are using a multi-node Workflow Manager farm, several additional steps are required. You need to reset the system clock and update certificates one node at a time. Always start with the primary node, before proceeding through the full certificate replacement and verify that the primary node is working before rejoicing any of the secondary nodes in the farm. It is important not to be quick with this process as it can lead to sync issues in the farm and trust issues between nodes!
Lastly, if you are unsure or in a sensitive environment, the safest solution is to test everything in a QA environment. Many admins are advised this handling of time rollback and certificate reset to be done in QA. It is the best and safest way to make sure that your live workflows aren’t broken mid-fix!
Wrapping Up!
Whether you like it or not, working with expired Workflow Manager certificates is not easy. So, to tackle expired Workflow Manager fix SharePoint, a few steps, some prep work and patience are mandatory! This blog covered the steps for a full replacement process, but the big lesson was knowing that careful management of certificates is necessary. To be forward looking, track expiry dates, keep your passphrases secure, and always document your farm configuration for details and references!
The necessary tips:
Don’t just wait for things to start failing. Be alert, don’t take things for granted. Plan ahead, test in QA sufficiently, if you are a multi-node, test and do updates on each node, separately. Regularly check the health of your certificates, backup your configuration, and make sure you have someone on your team that knows how to manage Workflow Manager. It is beneficial if you have to work with a legacy SharePoint instance!
Let’s also consider that SharePoint 2013 workflows are already dismissed and official support is going fast! If you are still stuck on SharePoint 2013 workflows, then you should start to plan for a migration to Power Automate!
Need help working with legacy workflows, and planning for your migration?
NGS Solutions provides experienced guidance to support SharePoint workflow troubleshooting, certificate management and additional ease of onboarding to Power Automate. Contact us today to ensure your SharePoint environment is secure, and future-proof your workflows!
