Recreating Certificates in Sitecore 9 to Solve 403 and SSL/TLS Errors

May 3, 2019

I started working on a development server and besides being slower than normal, the Sitecore log files were full of XConnect errors. Moreover, when browsing the various Sitecore websites on the device, Chrome complained that the site certificates were invalid. I started investigating and found that the site certificates didn't match the domains. This appears to be a common issue with Sitecore 9. One solution is to start fresh with a new installation. However, I found it easier to update the certificates in place and preserve the configuration the previous developers and consultants left. You could use also use these steps to refresh your certificates when they expire.

Some examples of the exceptions I found in the logs were:

Exception: System.Net.WebException
Message: The request was aborted: Could not create SSL/TLS secure channel.
Exception: Sitecore.XConnect.XdbCollectionUnavailableException
Message: The HTTP response was not successful: Forbidden

References

These are the references I used to research these issues:

Initially, I attempted to fix the issues with the suggestions in these posts. However, I couldn't get the sites to work and the sheer number of Sitecore related certificates on the server (24) made me think the previous developers had tried similar approaches. So instead, this is how I reset certificates for Sitecore 9.0.1 and Sitecore Commerce.

Delete Existing Sitecore Development Certificates

Delete the existing Sitecore website certificates so they don't conflict and aren't confusing when binding sites in later steps.

  1. Click the Windows Start button
  2. Type "certificate"
  3. Select Manage computer certificates (not Manage user certificates)
  4. In the UAC modal, click Yes
  5. Browse the certificates in the Personal, Trusted Root Certification, and Intermediate Certification stores
  6. Delete any certificates related to the Sitecore websites

Run PowerShell Script to Create New Certificates

I created a simple PowerShell script you can use (at the end of this post). Make sure you adjust the script with all of the hostnames you are using (Commerce, xConnect, and the website reference each other so check the configs).

  1. Click the Windows Start button
  2. Type "powershell"
  3. Right click Windows PowerShell ISE
  4. Choose Run as Administrator
  5. In the UAC modal, click Yes
  6. Open the script file or copy and paste the code into a new script
  7. Select Run
  8. The certificate thumbprints will print out after the script finishes. Save them for a later step
Creating certificates in a PowerShell script

Grant Read Access to Website App Pools

The website app pools need read access to the certificates for verification.

  1. Open Manage Computer Certificates
  2. Go to Personal -> Certificates
  3. Right click the website certificates and select All Tasks -> Manage Private Keys
  4. Press Add
  5. Press Locations
  6. Choose the local VM (not network) and Press OK
  7. Enter the App Pools that should have access. For example
    sitecore9.xconnect => IIS AppPool\sitecore9.sc, IIS AppPool\sitecore9.xconnect, IIS AppPool\CommerceAuthoring_Sc9
  8. Allow Read access
  9. Press Ok
  10. Repeat for each site certification
Manage Private Keys on a Certificate Giving xConnect AppPool Read Rights to Certificate

Export Root Certificate and Add it to Trusted Root store

If you followed my script, three website certificates were created based off a singular root, Sitecore Development Root. In order to get applications to trust these certificates, we need to add this root certificate to the trusted root store. The following steps export the root certificate and then add it to the store.

  1. Right click the root certificate, Sitecore Development Root
  2. Step through the Certificate Export Wizard with the following options
  3. Yes, export the private key
  4. Personal Information Exchange with Include all certificates in the certification path if possible
  5. Password with password of your choice
  6. Choose a filepath to store it
  7. Now, go to Trusted Root Certification -> Certificates
  8. Right click Certificates and choose All Tasks -> Import
  9. Step through the Certificate Import Wizard and import the certificate you just exported
Giving xConnect AppPool Read Rights to Certificate

Bind the Certificates in IIS

Our certificates are ready to be used. Follow these steps to get IIS to use them on the appropriate sites.

  1. Open IIS Manager
  2. Expand the Sites collection and select a site
  3. Select Bindings…
  4. Select a https binding and Choose Edit…
  5. Select the SSL certificate drop down list
  6. Choose the appropriate SSL certificate
  7. Press Ok and Close
  8. Repeat for each site

Update Configuration Settings

The last step is to update the configuration settings so the various Sitecore applications trust the certificates. This is where you will use the thumbprints that were generated from the PowerShell script. If you no longer have them, you can still look them up on the certificate.

  1. Open [Commerce Authoring Root]\wwwroot\config.json
  2. Change Thumprint parameter value to new Sitecore Commerce and Identity Server thumbprint
  3. Open [Commerce Minions Root]\wwwroot\config.json
  4. Change Thumprint parameter value to new Sitecore Commerce and Identity Server thumbprint
  5. Open [Commerce Ops Root]\wwwroot\config.json
  6. Change Thumprint parameter value to new Sitecore Commerce and Identity Server thumbprint
  7. Open [Commerce Shops Root]\wwwroot\config.json
  8. Change Thumprint parameter value to new Sitecore Commerce and Identity Server thumbprint
  9. Open [Website Root]\App_Config\ConnectionStrings.config
  10. Change all Thumprints to new Sitecore xConnect thumbprint
  11. Open [Website Root]\App_Config\Include\Y.Commerce.Engine\Sitecore.Commerce.Engine.Connect.config
  12. Change certificateThumprint value to new Sitecore Commerce thumbprint
  13. Open [xConnect Root]\App_Config\AppSettings.config
  14. Change validateCertificateThumbprint setting to new Sitecore xConnect thumbprint
  15. Open [Identity Server Root]\wwwroot\App_Config\AppSettings.config
  16. Change validateCertificateThumbprint setting to new Sitecore Commerce and Identity Server thumbprint

Restart IIS and Test

  1. Restart IIS from IIS Manager
  2. Open a new browser window and check if the website certificates are flagged as invalid
  3. Check Sitecore logs to see if certificate errors are resolved

PowerShell Script

$rootparams = @{ DnsName = "Sitecore Development Root" KeyExportPolicy = 'Exportable' NotAfter = (Get - Date).AddYears(10) CertStoreLocation = 'Cert:\LocalMachine\My' KeyUsage = 'CertSign','CRLSign' } $rootCA = New-SelfSignedCertificate @rootparams $webparams = @{ DnsName = "YOUR.WEBSITE.DOMAIN(S)" FriendlyName = "Sitecore Website" Signer = $rootCA KeyExportPolicy = 'Exportable' NotAfter = (Get - date).AddYears(10) CertStoreLocation = 'Cert:\LocalMachine\My' } $webCert = New-SelfSignedCertificate @webparams Write-Host -Object "Website: $($webCert.Thumbnail)" $commerceparams = @{ DnsName = "localhost" FriendlyName = "Sitecore Commerce and Identity Server" Signer = $rootCA KeyExportPolicy = 'Exportable' KeySpec = 'Signature' NotAfter = (Get - date).AddYears(10) CertStoreLocation = 'Cert:\LocalMachine\My' } $commerceCert = New-SelfSignedCertificate @commerceparams Write-Host -Object "Commerce: $($commerceCert.Thumbnail)" $connectparams = @{ DnsName = "sitecore9.xconnect" FriendlyName = "Sitecore xConnect" Signer = $rootCA KeyExportPolicy = 'Exportable' NotAfter = (Get - date).AddYears(10) CertStoreLocation = 'Cert:\LocalMachine\My' } $connectCert = New-SelfSignedCertificate @connectparams Write-Host -Object "xConnect: $($connectCert.Thumbnail)"