Overview

Managed Cloud PaaS 2.0 customers are required to use their own domain/certificate when requesting a new environment through the ServiceNow portal, as shown below.

If a customer does not provide a certificate during the initial environment provisioning, the default Managed Cloud domain and certificate will be used for deployment. However, note that Sitecore is not responsible for maintaining this certificate. The customer is fully responsible for replacing their own certificate.

Refer to the instructions below on how to replace your certificate in PaaS 2.0.

Guide to update certificate in PaaS 2.0

This is a general guide for updating a certificate in a PaaS 2.0 environment where the certificate is stored in an Azure Key Vault. Azure resources such as App Services, Front Door, and Application Gateway reference the certificate directly from the Key Vault, so updating the certificate in the Key Vault automatically propagates the changes to these resources.

Step 1: Identify the related hub

Locate the Hub associated with the Spoke where the certificate is being used.
If you do not have this information, you can find the relationship by checking the virtual network peering settings.

Step 2: Update Key Vault access policies

1. Navigate to the Key Vault within the Hub resource group.
2. Update the Key Vault access policies to grant your personal account the necessary certificate permissions:
   • Get, List, Update, Create, Import
   
   
   Note: Ensure you have the appropriate permissions to modify the Key Vault access policies.

Step 3: Locate the certificate

• Resource Group Name: Typically follows the pattern "mc2-<unique-id>".
• Certificate Name: Typically follows the pattern "sitecore-certificate-<unique-id>".
  

Step 4: Create a new version of the certificate

1. Click on the identified certificate in the Key Vault.
2. Click New Version.
   
   
   
   
3. Choose Import and upload the correct .pfx file.
   
   

Step 5: Force certificate update (optional)

1. To force the certificate update, navigate to one of the web apps in the resource group.
2. Locate the certificate in the web app's settings.
3. Use the Sync option from the certificate details section to ensure the update is applied immediately.
   
   
   
   Note: Azure Front Door takes up to 72 hours for the new version of the certificate/secret to be deployed. Application Gateway refreshes it in a 4 hour time interval and the respective time for App Services is 24 hours if the aforementioned Sync option is not used. No downtime is expected from this operation if it is done on time.

Troubleshooting

If you encounter issues during the certificate update, ensure that:

• Your account has the necessary permissions in the Key Vault.
• The .pfx file is valid and correctly formatted.
• The virtual network peering is properly configured.

If you need further assistance, contact the Sitecore Support or refer to the Microsoft official documentation.