{"id":4598,"date":"2023-12-25T02:14:54","date_gmt":"2023-12-25T02:14:54","guid":{"rendered":"https:\/\/www.qedge.co\/blog\/?p=4598"},"modified":"2025-08-13T06:35:27","modified_gmt":"2025-08-13T06:35:27","slug":"sitecore-renew-ssl-certificate","status":"publish","type":"post","link":"https:\/\/www.qedge.ai\/blog\/sitecore-renew-ssl-certificate.html","title":{"rendered":"Sitecore Renew SSL Certificate in a Local Development Environment"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Having a valid SSL certificate is crucial for running Sitecore securely. However, the default self-signed certificates generated during local Sitecore installations expire after one year. Once expired, you'll start seeing errors when trying to access the Sitecore login page or content management interfaces.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thankfully, renewing <a href=\"https:\/\/www.qedge.co\/blog\/complex-digital-challenge-answer-is-sitecore.html\" target=\"_blank\" rel=\"noreferrer noopener\">Sitecore<\/a>'s expired SSL certificates is straightforward with some key PowerShell commands. In this comprehensive guide, we'll walk through the step-by-step process to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check and remove any expired certificates<\/li>\n\n\n\n<li>Generate new self-signed certificates<\/li>\n\n\n\n<li>Assign the certificates to the appropriate IIS sites and application pools<\/li>\n\n\n\n<li>Update configurations to use the new certificate thumbprints<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">After following these steps, your local Sitecore instance will once again have <a href=\"https:\/\/wputopia.com\/contact\/405.php\" target=\"_blank\" rel=\"noopener\">valid SSL certificates<\/a> enabling secure access.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"900\" src=\"https:\/\/www.qedge.co\/blog\/wp-content\/uploads\/2023\/12\/1.png\" alt=\"Sitecore Renew SSL Certificate in a Local Development Environment\" class=\"wp-image-5063\" srcset=\"https:\/\/www.qedge.ai\/blog\/wp-content\/uploads\/2023\/12\/1.png 1600w, https:\/\/www.qedge.ai\/blog\/wp-content\/uploads\/2023\/12\/1-768x432.png 768w, https:\/\/www.qedge.ai\/blog\/wp-content\/uploads\/2023\/12\/1-1536x864.png 1536w, https:\/\/www.qedge.ai\/blog\/wp-content\/uploads\/2023\/12\/1-720x405.png 720w, https:\/\/www.qedge.ai\/blog\/wp-content\/uploads\/2023\/12\/1-580x326.png 580w, https:\/\/www.qedge.ai\/blog\/wp-content\/uploads\/2023\/12\/1-320x180.png 320w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before starting, make sure you have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Local administrator access to the Sitecore server<\/li>\n\n\n\n<li>PowerShell 5.1 or later<\/li>\n\n\n\n<li><a href=\"https:\/\/dev.sitecore.net\/Downloads\/Sitecore_Installation_Framework\/2x\/Sitecore_Installation_Framework_200.aspx\" target=\"_blank\" rel=\"noopener\">SIF<\/a> module installed<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">You'll also need to know the names of your Sitecore and xConnect IIS sites. The defaults are typically <code>sc9<\/code> and <code>sc9_xconnect<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Find and Remove Expired Certificates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The first step is identifying and removing any expired certificates from the certificate stores.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To see your current certificates, run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ChildItem Cert:\\LocalMachine\\My<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can then filter down to just the expired certs:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ChildItem -Path cert: -Recurse | Where-Object { $_.Thumbprint -like \"*D3590ED6A4DCD4BD*\" }<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once you've identified the expired certificates, remove them by piping the results to <code>Remove-Item<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ChildItem -Path cert: -Recurse | Where-Object { $_.Thumbprint -like \"*D3590ED6A4DCD4BD*\" } | Remove-Item<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Repeat this process for the <code>Cert:\\LocalMachine\\Root<\/code> store to remove any outdated root certificates as well.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Generate New Self-Signed Sitecore Certificates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With the old certificates removed, we can now generate new ones with PowerShell and the SIF modules.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To create a certificate for the main Sitecore IIS site (typically <code>sc9<\/code>), run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\\Add-SSLSiteBindingWithCertificate.ps1 -SiteName sc9 -Port 443 -HostName sc9.local<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And for xConnect:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\\Add-SSLSiteBindingWithCertificate.ps1 -SiteName sc9_xconnect -HostName sc9_xconnect.local<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This will generate new self-signed certificates and automatically assign them to the respective IIS sites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Generate Client Certificate for xConnect<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In addition to the site-level certificates, xConnect also needs a client certificate for authentication. The <code>install-xp0.ps1<\/code> script from SIF can handle generating this certificate.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Open the script in an editor, and comment out all sections except for the client certificate part:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Comment out all sections except:\n\n#region Install Client Certificate For XConnect\nWrite-Host \"Install Client Certificate For XConnect\" -ForegroundColor Green\n$certParams = @{    \n    Path = \"$PSScriptRoot\\xConnect-client.pfx\"\n    Password = \"test\"\n}\n\n# Import Certificate\nImport-PfxCertificate @certParams\n\n# Give Network Service Permissions\n$acl = Get-PfxCertificate -FilePath $certParams.Path\nGrant-PermissionToCert $acl.Thumbprint \"Network Service\"\n#endregion<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Save your changes and run the edited script to generate the new xConnect client certificate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Update IIS Bindings<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">At this point, the new certificates are installed but not yet assigned to our IIS sites.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Open IIS Manager, select the Sitecore IIS site (<code>sc9<\/code>), and go to the Bindings settings. Update the HTTPS binding to use the newly generated cert for the site.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Repeat the same process for the xConnect IIS site to assign its new certificate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Update Connection Strings and Settings<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The last step is to update our configuration files to use the new certificate thumbprints.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In <code>App_Config\/AppSettings.config<\/code>, update the <code>validateCertificateThumbprint<\/code> setting:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;add key=\"validateCertificateThumbprint\" value=\"YOUR-NEW-THUMBPRINT\" \/&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then in <code>App_Config\/ConnectionStrings.config<\/code>, update the xConnect collection and certificate thumbprints:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;add name=\"xconnect.collection\" connectionString=\"https:\/\/sc9_xconnect.local\" \/&gt;\n&lt;add name=\"xconnect.collection.certificate\" connectionString=\"StoreName=My;StoreLocation=LocalMachine;FindType=FindByThumbprint;FindValue=YOUR-NEW-XCONNECT-THUMBPRINT\"\/&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">That's it! After updating the configs, restart IIS and your local Sitecore instance should now be running with valid SSL certificates again.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Troubleshooting Common SSL Certificate Issues<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some common issues and fixes when working with Sitecore certificates:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Sitecore login page doesn't load, getting 403.16 error:<\/strong> This means the client certificate was not assigned permission to the IIS application pool identity. Rerun the <code>Grant-PermissionToCert<\/code> command to fix.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Invalid client certificate error in logs:<\/strong> The new client certificate thumbprint wasn't updated in <code>xconnect.collection.certificate<\/code>. Double check the value matches the recently generated cert.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Incorrect SSL validation error:<\/strong> The <code>validateCertificateThumbprint<\/code> setting wasn't updated with the new Sitecore instance certificate. Verify the thumbprint value is correct.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>SSL certificate warning still showing:<\/strong> You may need to close all browsers, clear caches, and restart IIS to fully refresh the new certificates. Also check there aren't old self-signed certs still in the root store.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.qedge.co\/blog\/sitecore-maintenance-services.html\" target=\"_blank\" rel=\"noreferrer noopener\">Keeping Sitecore certificates valid<\/a> is important for maintaining a secure CMS. This guide provides an easy PowerShell-driven process for regenerating new self-signed certificates and assigning them properly for local Sitecore instances.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the steps outlined here, you can proactively renew your Sitecore certificates before they expire and avoid disruptions from invalid SSL errors. Automating portions of the renewal process can further simplify keeping your certificates up-to-date.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having a valid SSL certificate is crucial for running Sitecore securely. However, the default self-signed certificates generated during local Sitecore installations expire after one year. Once expired, you'll start seeing errors when trying to access the Sitecore login page or content management interfaces. Thankfully, renewing Sitecore's expired SSL certificates is straightforward with some key PowerShell [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4605,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-4598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-insights"],"views":6766,"_links":{"self":[{"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/posts\/4598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/comments?post=4598"}],"version-history":[{"count":9,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/posts\/4598\/revisions"}],"predecessor-version":[{"id":7912,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/posts\/4598\/revisions\/7912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/media\/4605"}],"wp:attachment":[{"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/media?parent=4598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/categories?post=4598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qedge.ai\/blog\/wp-json\/wp\/v2\/tags?post=4598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}