Renew S9 certificates

Hi all, 

documenting this here as I had to dig around to sort this out, but feel free to add comments if there is a better way.

Problem is, I installed several Sitecore 9 demo sites a year ago (has it been a year already?) I have begun getting warnings that the certs were about to expire.

Sure enough, they are, as well as the DO_NOT_TRUST_SitecoreRootCert set to expire 11/08/2018

These all came out of the original install script - so how to refresh these? Presumably starting with a refresh of the Root Cert and then the individual xconnect certs. 

What I've come up with,

1. Delete all the certs out of the certificate store (see gotcha below)

2. Delete all the .crt files out of the directory referenced in the script. In my case C:\certificates (otherwise they will be found and re-imported, with the original expire dates)

3. Re-run the script - just the xconnect-createcert.json part of it

4. Export with private key and re-import to other machines as needed

Voila. Adds another year.


This took me longer to figure out than it should have - I kept getting the certs coming back with the original expiry, it wasn't until I looked closely at the log file that it became clear why this was happening. When I open the certificates snap in, I always pick the option "Computer Account" as opposed to "Service Account" or "My user account." 

Indeed I found the certificates under Computer Account, and had deleted them.

What I did not appreciate was that the script makes the Root cert under "My user account," so it was there also, I wasn't seeing it, and it was being found and therefore not recreated. And even though I was regenerating the xconnect certs, they were coming in with the old expiry date. I had to check under My user account and delete the Root cert there as well.

There's a screenshot of the cert being found in \CurrentUser\My <- Bad

If you're hunting around, this powershell will give you the thumprints: Get-ChildItem -path cert:\CurrentUser\My


Get-ChildItem -path cert:\LocalMachine\My

which makes it a bit easier to track them down. Hope this helps

1 Reply

  • Two more steps to add:
    Reminder that you will need to replace the Thumprints in the ConnectionStrings.config and also in the xconnect site the App_Config\AppSettings.config
    This is the thumprint of the xconnect_client certificate

    Last of all, you may need to grant permissions on the new certs to the app pool. I did this with IIS_IUSRS but could be done with NETWORK SERVICE if you are running under that, or the specific app pool with IIS APPPOOL\apppool. Documented here