Replacing your xConnect certificate on Sitecore 10


BACK TO BLOG OVERVIEW


This post is for easy looking up of actions that are involved while replacing your xConnect certificate on Sitecore 10.

Replace thumbprint values within the following files and app settings:

XP Roles

CD

\wwwroot\App_Config\ConnectionStrings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

CM

\wwwroot\App_Config\ConnectionStrings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

CORTEX PROCESSING

\wwwroot\App_Config\AppSettings.config
\wwwroot\App_Data\jobs\continuous\ProcessingEngine\App_Config\ConnectionStrings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

CORTEX REPORTING

\wwwroot\App_Config\AppSettings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

EXM-DDS

\wwwroot\App_Config\ConnectionStrings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

MA-OPS

\wwwroot\App_Config\AppSettings.config
\wwwroot\App_Config\ConnectionStrings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

MA-REP

\wwwroot\App_Config\AppSettings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

PRC

\wwwroot\App_Config\ConnectionStrings.config
+ WEBSITE_LOAD_CERTIFICATES App Setting

SI

\wwwroot\Config\production\Sitecore.IdentityServer.Host.xml
+ WEBSITE_LOAD_CERTIFICATES App Setting

XC-COLLECT

\wwwroot\App_Config\AppSettings.config

XC-REFDATA

\wwwroot\App_Config\AppSettings.config
  • Upload new certificate to xc-collect (private)
  • Remove old certificate to maintain your housekeeping

Since we are connecting to xConnect from the Commerce engine we had to change some values in these app settings as well. This might not be needed for your solution, since it is no default Sitecore behaviour.

XC Roles (app settings)

SHOP

CECONFIG_XConnectConfigurator__Connection
WEBSITE_LOAD_CERTIFICATES

OPS

CECONFIG_XConnectConfigurator__Connection
WEBSITE_LOAD_CERTIFICATES

MINIONS

CECONFIG_XConnectConfigurator__Connection
WEBSITE_LOAD_CERTIFICATES

AUTHORING

CECONFIG_XConnectConfigurator__Connection
WEBSITE_LOAD_CERTIFICATES

Ensure that all values and certificates have been replaced within your IaC pipelines. The above adjustments are only meant for manually adjusting the values. The prefered method always is to change the certificate via CI/CD pipelines.

Finally we have to stop all app services + all webjobs that are affected (they are not stopped by stopping the App Service). Once all has been stoppped, start them over and have your new certificate activated on the environment.