Sitecore Experience Manager

The client certificate for Sitecore deployments


Learn about the Sitecore security layers.

The Sitecore Experience Platform is designed to be secure by default. This means that the Sitecore roles use the Secure Sockets Layer (SSL) with client certificate validation to communicate with each other.

The client certificate validation requires you to set up a client certificate as part of the Sitecore installation process on Azure. You can choose to generate a self-signed certificate to meet this installation requirement or obtain one from a certificate authority.

This topic describes:

All communication between Sitecore instances, including the xConnect web services, occurs over HTTPS. HTTPS requires that you obtain and set up certificates for the SSL before you install the platform.

The Sitecore Experience Platform has the following layers of security:

  • SSL – the xConnect server roles support an additional layer of security, known as SSL Client Certificate Authentication. The xConnect web services use server-to-server communication and are non-interactive. This means the client certificate allows Content Management and other server roles to connect securely to WebAPI services using a client certificate and a pre-shared key, or thumbprint.

  • Server authentication – uses a server-side certificate and a private key to encrypt traffic between the HTTP client and the HTTP server application. This type of authentication prevents unencrypted content from traveling over an un-secure network and protects against snooping. It does not identify who the client is, and server authentication by itself does not discriminate who can connect to the server.

  • Client certificate authentication – is an additional layer of security on top of server authentication and validates that the individual HTTP client is authorized to connect to the HTTP server. It also requires that the HTTP client instance is configured with a specific client certificate and private key, which are both used to connect to the SSL protected server(s).

A self-signed certificate is certificate that has been signed with your own private key instead of the key of an authorized organization.

For developer environments, you can generate a self-signed certificate using PowerShell. For productions environments, you must obtain a certificate from a certified authority because of potential security concerns.


Sitecore requires a Base64-encoded blob of the authentication certificate in PKCS #12 format (.pfx) for service communications.

If you want to generate a new self-signed certificate to use to deploy Sitecore with the Sitecore Azure Toolkit, run the following script in an elevated PowerShell console:

$thumbprint = (New-SelfSignedCertificate `
    -Subject "CN=$env:COMPUTERNAME @ Sitecore, Inc." `
    -Type SSLServerAuthentication `
    -FriendlyName "$env:USERNAME Certificate").Thumbprint

To export the certificate from local storage to a file on a disk and protect it with a password, run the following script in an elevated PowerShell console:

$certificateFilePath = "D:\Temp\$thumbprint.pfx"
Export-PfxCertificate `
    -cert cert:\LocalMachine\MY\$thumbprint `
    -FilePath "$certificateFilePath" `
    -Password (Read-Host -Prompt "Enter password that would protect the certificate" -AsSecureString)