So, the SIF install scripts for Sitecore create certificates for securing the XConnect communication. There are 4 certificates involved – 2 “DO_NOT_TRUST_XXX” trusted root certs for signing 2 other certs, and those 2 are a) for the IIS XConnect site binding (as normal with HTTPS), and b) one for the XConnect client.

Unfortunately, these only last for a year… and the process of renewing them isn’t well documented.

First, thought, what is the XConnect client cert? Well, there’s a good description here, but in short, both client and server have certificates so they can both validate the other. This is not the same as when a browser (any old browser) connects over HTTPS.

Anyway, the problem is that your certificates have expired. If you go to Certificate Management, and look at the expiry date, they’ll be in the past.Now, the plan for handling this is as documented here:

Remove the existing certificates from the certificate store. Note that when you open the Certificate Management snap-in, you can open it for the current user or the local machine. These show you different stores, and your certificates are in both. You need to remove them from both. Make sure you remove the DO_NOT_TRUST_SitecoreRootCert and DO_NOT_TRUST_SitecoreFundamentalsRoot certificates.

Remove the certificates from disk. They’re written to disk by the install scripts. For mine, C:\certificates was used.

Re-run the relevant part of the install script. This should be something like:

Import-Module SitecoreInstallFramework
$prefix = "example"
$PSScriptRoot = "C:\blah\Installation\SC9.0.2\Config Folder"
$XConnectCollectionService = "example.xconnect.local"
$sitecoreSiteName = "example.local"
#install client certificate for xconnect
$certParams = @{
Path = "$PSScriptRoot\xconnect-createcert.json"
CertificateName = "$prefix.xconnect_client"
}
Install-SitecoreConfiguration @certParams -Verbose

This will regenerate the xconnect client certificate. It won’t do the IIS binding certificate (see below).

Export and import onto other machines as required.

Now, I did have some additional steps to do:

Find and replace the Thumbprint. This is in ConnectionStrings.config, and should be replaced in all *.config files in the two sites (Sitecore and Xconnect). Restart the sites, and the services.

Create a new trusted certificate for your IIS binding. Just do it as normal, remembering to add the certificate to the trusted root certs.

Grant permissions on the certs to the application pool. This is as described here. Without this, I was getting the error:

The request was aborted: Could not create SSL/TLS secure channel.

Go to your certificate in Certificate Manager, right click on it, and Manage Private Keys:

Grant rights to your IIS Application Pool (so the IIS App Pool Account, or Network Services).

And that should be the end of the process – though comment here if you discover anything more.