Update the Expired Sitecore XConnect certificate


, , , ,

Hi Friends,

This is the second part of my earlier blog – https://darjimaulik.wordpress.com/2020/07/20/sitecore-xconnect-certificate-error-http-response-was-not-successful-forbidden/

The earlier blog mentioned the issues related to the XConnect not working. This blog will focus on the certificate changes. This is a very common scenario, You have installed the Sitecore and after 1 or 2 years, the certificate expires. When the Certificate expires, you will see the error like below in the logs

Exception: Sitecore.Analytics.DataAccess.XdbUnavailableException
Message: xDB unavailable
Source: Sitecore.Analytics.XConnect
   at Sitecore.Analytics.XConnect.DataAccess.XConnectDataAdapterProvider.ExecuteWithExceptionHandling[T](Func`2 func)
   at Sitecore.Analytics.XConnect.Diagnostics.PerformanceCounters.OperationPerformanceMonitorExtensions.Monitor[T](OperationPerformanceMonitorBase monitor, Func`1 operation)
   at Sitecore.Analytics.XConnect.DataAccess.Dictionaries.XConnectDeviceDictionary.LoadAs[T](Object key)
   at Sitecore.Analytics.DataAccess.Dictionaries.AverageCounterExtensions.MeasureMilliseconds[T](AverageCounter counter, Func`1 func)
   at Sitecore.Analytics.DataAccess.Dictionaries.ReferenceDataDictionary`2.Get(TKey key, LookupStrategy strategy)
   at Sitecore.Analytics.Pipelines.EnsureSessionContext.EnsureDevice.LoadDevice(Guid deviceId)
Nested Exception
Exception: Sitecore.XConnect.XdbCollectionUnavailableException
Message: The HTTP response was not successful: Forbidden
Source: Sitecore.Xdb.Common.Web
   at Sitecore.Xdb.Common.Web.Synchronous.SynchronousExtensions.SuspendContextLock[TResult](Func`1 taskFactory)
   at Sitecore.XConnect.Client.XConnectSynchronousExtensions.SuspendContextLock(Func`1 taskFactory)
   at Sitecore.XConnect.Client.Configuration.SitecoreXConnectClientConfiguration.Initialize(XmlNode configNode)
   at Sitecore.Configuration.DefaultFactory.CreateObject(XmlNode configNode, String[] parameters, Boolean assert, IFactoryHelper helper)
   at Sitecore.Configuration.DefaultFactory.CreateObject(XmlNode configNode, String[] parameters, Boolean assert)
   at Sitecore.Configuration.DefaultFactory.CreateObject(String configPath, String[] parameters, Boolean assert)
   at Sitecore.XConnect.Client.Configuration.SitecoreXConnectClientConfiguration.GetClient(String clientConfigPath)
   at Sitecore.Analytics.XConnect.DataAccess.XConnectDataAdapterProvider.ExecuteWithExceptionHandling[T](Func`2 func)

Below is the list of steps required to change the Certificate


  1. Create a new certificate.
  2. Install the Certificate
  3. Assign permission to the certificate (A very important step)
  4. Assign the certificate to the XDB website.
  5. Find the thumbprint of the new certificate. And update the same in the connectionstring.config file for the CM, CD(s), and XDB instance. This may require a change in other environments as well if you have multiple roles like marketing automation etc. This thumbprint can be in the Connectionstring of appsetting.config file. Details are mentioned below for the same.
  6. If separate environments, install the same XDB cert on the CM and CD.
  7. Set the “AllowInvalidClientCertificate” to “true”. Only for development machines.

Making the above changes will make the environment up and running with new certificates. Details of the above steps are as below

Create Local certificate

There are many scripts available online to create certificates. I liked the one I found in a Stackoverflow post. https://gist.github.com/x3mxray/0e4805002de6f43f5732c44f5de23d23.

There are 3 files. Parameters.json and createcert.json are the input. Make your changes in the install.ps1 with the “folderroot”, “certificatename” and “certificatepassword”.

If you are not able to generate the cert, in createcert.json file, line no 16, change the default value of RootCertFileName. If you already have a Sitecore Root certificate then, you may require to make this change. Else, you can delete the old certificates and create new ones.

Install certificate

The above script creates PFX certificates in c:\certificates folder by default. Double click on PFX and it will allow you to install the certificate. You need to select the “Local machine”

On the Password screen, you can select the below options

This process installs the certificate in the Certificate store and IIS as well.

Assign permission

This is a very important part and is missing in many blogs I came across.

  • Open Management console – mmc.
  • From File > Add remove snap-in > select the certificates > local computer.
  • Open personal > certificates. Select the certificate, right-click > all tasks > manage private keys.
  • Add the App Pool user in security. Assign the permission – Full control and read.

Select the certificate in IIS

Now is the most simple step, Go to your website and from bindings, select the appropriate binding and select the certificate in it.

IMP: It is very important to restart the Website. If possible, restart the AppPool and IIS.

Open the XDB website and confirm if it shows. Once this is done, we will change the Thumbprint in different files. Once the XDB site is working, we will go to the next step.

Change the Thumbprint in below files/locations

This list is from Varun’s blog – https://varunvns.wordpress.com/2019/05/21/sitecore-9-1-locations-of-xconnect-certificate-thumbprint/

  • Sitecore XConnect
    • AppSettings.config
      • Key – validateCertificateThumbprint
  • Marketing Automation Service
    • ConnectionStrings.config
      • Name – xconnect.collection.certificate
  • Search Indexer
    • None
  • Processing Engine
    • ConnectionStrings.config
      • Name – xconnect.collection.certificate
      • Name – xconnect.configuration.certificate
      • Name – xconnect.search.certificate
  • Sitecore Instance
    • ConnectionStrings.Config
      • Name – sitecore.reporting.client.certificate
      • Name – xconnect.collection.certificate
      • Name – xdb.marketingautomation.operations.client.certificate
      • Name – xdb.marketingautomation.reporting.client.certificate
      • Name – xdb.referencedata.client.certificate

Still getting the error?

In some scenarios, we still face the issue and error will be

  • HTTP Error 403.16 – Forbidden Your client certificate is either not trusted or is invalid.
  • The certificate with “XXXXX” thumbprint is not found

If you are seeing these issues then check your environment.

Do you have a separate XDB server? If yes then, You need to install the same cert on the CM and CD server as well. In general, we change the cert on the XDB server only. But the CM server is the one calling the XDB. And these certs are used for client authentication. Because of that, we need to install the same cert on CM and CD as well. Follow the same steps including the permission and check. The XDB is working and CM is able to access the XDB. You will be able to see the Graph on launchpad and many more data in the Experience Analytics.

Allow invalid Client certificates

This is a shortcut and only for the Development environment. Not recommended for the Production environments.

You can set the value “AllowInvalidClientCertificates” to “true”. Details at https://darjimaulik.wordpress.com/2021/06/02/xconnect-allow-invalid-certificate/

Below are references to the articles which helped me out creating this blog. Refer the same if you are still facing the issue.