Expired certificates in Workflow Manager are one of the most common reasons SharePoint workflows suddenly stop working in older SharePoint environments. This issue affects many organizations still running Microsoft SharePoint Server 2013, Microsoft SharePoint Server 2016, and Microsoft SharePoint Server 2019.
When Workflow Manager certificates expire, workflows may fail silently, authentication errors may appear, and SharePoint users can experience issues with approvals, automated tasks, and business processes. In many environments, these problems are difficult to diagnose because the errors often appear as generic SSL or token validation failures.
This guide explains:
- What Workflow Manager certificates are
- Why certificate expiration breaks SharePoint workflows
- How to replace expired Workflow Manager certificates
- Common troubleshooting steps
- Important best practices for SharePoint workflow management in 2026
The goal is to provide a clear and practical reference for administrators managing legacy SharePoint workflow environments.
What Is Workflow Manager in SharePoint?
Workflow Manager is a workflow engine used by SharePoint 2013-based workflows. It handles workflow execution, communication, authentication, and secure connections between SharePoint and workflow services.
Workflow Manager is commonly used in:
- SharePoint 2013
- SharePoint 2016
- SharePoint 2019
It works alongside:
- Service Bus
- OAuth token services
- SSL certificates
- SharePoint workflow endpoints
Many organizations still depend on Workflow Manager because legacy workflows continue to support business operations such as:
- Document approvals
- Task automation
- Notification workflows
- Data collection processes
- Custom workflow applications
Why Do Workflow Manager Certificates Expire?
Workflow Manager uses self-signed or generated certificates to secure communication between servers and services.
These certificates have expiration dates. Once the certificates expire:
- SharePoint no longer trusts Workflow Manager
- OAuth token validation fails
- Workflow execution stops
- SSL communication errors appear
- Service Bus communication may break
This issue becomes increasingly common in older SharePoint farms that were deployed years ago and have not undergone certificate maintenance.
Common Signs of Expired Workflow Manager Certificates
Workflow Failures
One of the first symptoms is that workflows stop running completely.
Common workflow issues include:
- Workflows stuck on “Starting”
- Failed approvals
- Suspended workflows
- Workflow history errors
Authentication and Token Errors
Administrators often notice errors related to:
- OAuth token validation
- Invalid token signatures
- Trust relationship failures
- SSL certificate trust issues
ULS and Event Viewer Errors
Common log entries include:
- “Invalid token signature”
- “SSL policy errors”
- “Could not establish trust relationship”
- “Security token validation exception”
Workflow Service Connection Problems
Communication between SharePoint and Workflow Manager may fail entirely, especially after certificate expiration.
This can affect:
- Workflow subscriptions
- Task generation
- Workflow status updates
- SharePoint Designer workflows
Understanding Workflow Manager Farm Configurations
Before replacing certificates, it is important to understand your Workflow Manager topology.
Single-Node Workflow Manager Farm
A single server hosts:
- Workflow Manager
- Service Bus
- Workflow services
This setup is simpler but has limited redundancy.
Multi-Node Workflow Manager Farm
Larger environments may use:
- Multiple Workflow Manager servers
- Load balancing
- Distributed workflow processing
Multi-node farms require additional care during certificate replacement because synchronization and trust relationships must remain consistent across nodes.
Prerequisites Before Replacing Expired Certificates
Proper preparation reduces the risk of workflow outages and configuration problems.
1. Gather Required Credentials
You need:
- Workflow Manager Run-As account
- Administrative access
- Original Workflow Manager passphrase (if available)
The passphrase is required for certificate regeneration.
2. Backup Important Components
Always back up:
- Workflow Manager databases
- Service Bus databases
- SharePoint farm configuration
- Existing PowerShell scripts
- SSL certificates
A backup allows recovery if the certificate replacement process fails.
3. Document Existing Configuration
Record:
- SQL Server names
- Workflow Manager ports
- Service Bus settings
- Farm names
- Certificate thumbprints
- Workflow endpoints
This information is required when rejoining the Workflow Manager farm.
4. Plan Maintenance Time
Workflow services may become temporarily unavailable during certificate replacement.
Schedule maintenance during low-usage periods whenever possible.
Step-by-Step Process to Replace Expired Workflow Manager Certificates
Step 1: Temporarily Roll Back the Server Time
Workflow Manager may block certificate operations if the current certificates are already expired.
To bypass this limitation:
- Stop the Windows Time Service
- Change the server date to one day before certificate expiration
- Verify the time change remains active
In virtual environments, hypervisor time synchronization may override manual changes. Disable host time synchronization temporarily if necessary.
This step should only be temporary.
Step 2: Reset the Workflow Manager Certificate Generation Key
Open PowerShell on the active Workflow Manager node and regenerate certificates.
Use the following commands:
This process generates new certificates for:
- Workflow Manager
- Service Bus
Store the passphrase securely for future maintenance.
Step 3: Leave and Rejoin the Workflow Manager Farm
After generating new certificates, the Workflow Manager farm must be reconfigured.
Leave the Existing Farm
Using the Workflow Manager Configuration Wizard:
- Select Leave Workflow Manager Farm
- Record all configuration details before removal
Important details include:
- Database names
- SQL instances
- Ports
- Service accounts
- Security settings
Rejoin the Existing Farm
Run the Configuration Wizard again and choose:
Join an Existing Workflow Manager Farm
Enter:
- SQL Server details
- Workflow Manager settings
- Service Bus configuration
- Certificate generation key
This process updates the farm with newly generated certificates.
Step 4: Restore the Correct System Time
Once certificates are regenerated:
- Restore the correct server time
- Restart Windows Time Service
- Verify Workflow Manager services are running properly
In multi-node farms, repeat synchronization checks on all servers.
Step 5: Export and Trust the New Certificate in SharePoint
SharePoint must trust the new Workflow Manager certificate.
Run the following command on the Workflow Manager server:
This exports the certificate file.
Import the Certificate into SharePoint Servers
Copy the certificate to every SharePoint server and import it into:
Trusted Root Certification Authorities
This step ensures SharePoint trusts Workflow Manager again.
Step 6: Refresh SharePoint Metadata
Run the following PowerShell command:
This refreshes token metadata and updates trust relationships.
Step 7: Re-Register Workflow Service
Open SharePoint Management Shell as Administrator and run:
Replace the URLs with values from your environment.
This reconnects SharePoint to Workflow Manager using the updated certificates.
Step 8: Validate Workflow Functionality
Test workflows after completing certificate replacement.
Recommended checks include:
- Start a test workflow
- Verify task creation
- Confirm approvals complete successfully
- Review Workflow History
- Monitor Event Viewer logs
Ensure there are no:
- SSL trust errors
- OAuth token failures
- Service Bus connectivity issues
Common Troubleshooting Issues
Workflow Manager Passphrase Lost
If the original passphrase is unavailable, administrators can still regenerate certificates using PowerShell certificate key reset methods.
However, additional configuration steps may be required depending on farm complexity.
Service Bus Communication Errors
If Service Bus services fail:
- Restart Service Bus Gateway
- Restart Message Broker services
- Verify certificate synchronization
- Confirm firewall rules and ports
Multi-Node Synchronization Problems
In multi-node farms:
- Update nodes individually
- Validate synchronization after each node
- Avoid updating all servers simultaneously
This reduces trust relationship conflicts.
SSL Trust Relationship Errors
If SharePoint still does not trust Workflow Manager:
- Re-import certificates
- Verify Trusted Root store placement
- Re-run metadata refresh jobs
- Confirm certificate thumbprints match
Benefits of Proper Certificate Management
Proper certificate management plays an important role in maintaining a stable and secure SharePoint workflow environment. Since Workflow Manager depends heavily on certificate-based trust and authentication, expired or misconfigured certificates can quickly disrupt workflow operations across the entire SharePoint farm.
Maintaining Workflow Manager certificates regularly helps improve several critical areas of system performance and reliability.
Improved Workflow Reliability
Valid certificates allow SharePoint workflows to communicate correctly with Workflow Manager services. This helps ensure that automated business processes such as approvals, notifications, document routing, and task assignments continue running without interruption.
Regular certificate maintenance reduces the chances of:
- Failed workflows
- Suspended tasks
- Workflow startup issues
- Unexpected automation outages
Stable workflows are especially important in environments that rely on automated business operations every day.
Better Authentication Stability
Workflow Manager uses certificates for OAuth token validation and secure communication between services. When certificates remain updated and trusted, authentication processes work more consistently across the SharePoint environment.
This helps prevent issues such as:
- Invalid token signature errors
- SSL trust failures
- Authentication timeouts
- Service connection problems
Consistent authentication also improves communication between SharePoint, Service Bus, and Workflow Manager components.
Stronger SharePoint Security
Certificates help protect data exchanged between SharePoint servers and workflow services. Proper certificate management reduces the risk of insecure connections and outdated trust relationships.
Maintaining certificates supports:
- Secure encrypted communication
- Trusted service authentication
- Safer workflow execution
- Better compliance with security standards
In many organizations, certificate maintenance is also part of broader cybersecurity and infrastructure management policies.
More Reliable Service Communication
Workflow Manager environments often include multiple interconnected services such as:
- Workflow Manager
- Service Bus
- SQL Server
- SharePoint web applications
Updated certificates help these services communicate securely and reliably. This reduces service interruptions and minimizes workflow processing failures caused by broken trust relationships.
Long-Term System Availability
Legacy SharePoint environments often remain active for many years. Without proactive certificate management, small certificate issues can eventually cause major workflow outages and emergency troubleshooting situations.
Routine certificate monitoring helps administrators:
- Detect expiring certificates early
- Schedule planned maintenance
- Reduce unexpected downtime
- Maintain operational continuity
This is especially important in multi-node Workflow Manager farms where synchronization and trust relationships must remain stable across all servers.
Reduced Emergency Maintenance and Downtime
One of the biggest advantages of proactive certificate management is the reduction of emergency fixes. Unexpected certificate expiration can lead to urgent outages, workflow disruptions, and time-sensitive troubleshooting.
Regular monitoring and scheduled renewals allow administrators to:
- Plan maintenance windows properly
- Test updates in QA environments
- Avoid production disruptions
- Reduce pressure during troubleshooting
Preventive certificate management is usually far safer and more efficient than reacting to unexpected workflow failures after certificates have already expired.
Common Mistakes to Avoid
| Common Mistake | Why It Causes Problems | Recommended Best Practice |
| Ignoring Certificate Expiration Dates | Many SharePoint workflow outages happen because Workflow Manager certificates expire unexpectedly, causing authentication and trust failures. | Monitor certificate expiration dates regularly and schedule renewals before certificates expire. |
| Skipping Backups | Replacing certificates without proper backups increases the risk of data loss and makes recovery difficult if configuration issues occur. | Always back up Workflow Manager databases, Service Bus databases, and SharePoint configurations before making changes. |
| Updating All Nodes Simultaneously | In multi-node Workflow Manager farms, updating all servers at the same time can create synchronization and trust relationship problems. | Update one node at a time and verify synchronization before moving to the next server. |
| Forgetting SharePoint Trust Updates | Regenerating certificates alone does not restore workflow functionality because SharePoint must also trust the new certificates. | Export the new certificate, import it into SharePoint servers, and refresh metadata feeds after certificate replacement. |
Latest Trends in SharePoint Workflow Management for 2026
Many organizations are gradually moving away from legacy SharePoint 2013 workflows.
Current trends include:
- Migration to Microsoft Power Automate
- Reduced reliance on Workflow Manager
- Cloud-based automation
- Hybrid SharePoint environments
- Modern authentication methods
- Improved certificate lifecycle management
However, many enterprises still maintain legacy SharePoint farms for compatibility and long-term business process support.
Because of this, Workflow Manager certificate maintenance remains an important administrative task in 2026.
Best Practices for Managing Workflow Manager Certificates
Monitor Certificate Expiration Regularly
Use scheduled monitoring tools or PowerShell scripts to track certificate validity.
Maintain Updated Documentation
Document:
- Passphrases
- Server topology
- Workflow endpoints
- SQL configuration
- Certificate locations
Test Changes in QA Environments
Always validate certificate replacement procedures in non-production environments first.
Schedule Preventive Maintenance
Regular maintenance reduces workflow outages and authentication failures.
Conclusion
Replacing expired Workflow Manager certificates in SharePoint 2013, 2016, and 2019 requires careful planning, certificate regeneration, trust updates, and workflow validation.
Although the process can appear complex, following a structured approach helps restore workflow functionality while minimizing downtime.
Key areas to focus on include:
- Proper backups
- Passphrase management
- Certificate trust configuration
- Metadata refresh
- Workflow testing
- Multi-node synchronization
As organizations continue modernizing SharePoint environments, understanding legacy workflow infrastructure remains valuable for maintaining operational stability and supporting long-running business processes.
FAQs
- What happens when Workflow Manager certificates expire?
Expired certificates break trust relationships between SharePoint and Workflow Manager, causing workflows and authentication processes to fail.
- Can workflows stop without obvious errors?
Yes. Some environments experience silent workflow failures with limited user-facing error messages.
- Is rolling back server time safe?
It should only be used temporarily during certificate replacement. Long-term time rollback can create authentication and synchronization issues.
- Do multi-node farms require additional steps?
Yes. Multi-node farms require careful synchronization and staged updates across servers.
- Is Workflow Manager still supported in 2026?
Many organizations still use Workflow Manager in legacy SharePoint environments, although newer automation platforms are increasingly replacing it.
