The client certificate for Sitecore deployments

Current version: 9.0

The Sitecore Experience Platform is designed to be secure by default. This means that the Sitecore roles use the Secure Sockets Layer (SSL) with client certificate validation to communicate with each other.

The client certificate validation requires you to set up a client certificate as part of the Sitecore installation process on Azure. You can choose to generate a self-signed certificate to meet this installation requirement or obtain one from a certificate authority.

Layers of security

All communication between Sitecore instances, including the xConnect web services, occurs over HTTPS. HTTPS requires that you obtain and set up certificates for the SSL before you install the platform.

The Sitecore Experience Platform has the following layers of security:

  • SSL – the xConnect server roles support an additional layer of security, known as SSL Client Certificate Authentication. The xConnect web services use server-to-server communication and are non-interactive. This means the client certificate allows Content Management and other server roles to connect securely to Web API services using a client certificate and a pre-shared key, or thumbprint.

  • Server authentication – uses a server-side certificate and a private key to encrypt traffic between the HTTP client and the HTTP server application. This type of authentication prevents unencrypted content from traveling over an un-secure network and protects against snooping. It does not identify who the client is, and server authentication by itself does not discriminate who can connect to the server.

  • Client certificate authentication – is an additional layer of security on top of server authentication and validates that the individual HTTP client is authorized to connect to the HTTP server. It also requires that the HTTP client instance is configured with a specific client certificate and private key, which are both used to connect to the SSL protected server(s).

Generating or obtaining the certificate

A self-signed certificate is certificate that has been signed with your own private key instead of the key of an authorized organization.

For developer environments, you can generate a self-signed certificate using PowerShell. For productions environments, Sitecore recommends you obtain a certificate from a certified authority because of potential security concerns.


Sitecore requires a Base64-encoded blob of the authentication certificate in PKCS #12 format (.pfx) for service communications.

If you want to generate a new self-signed certificate to use to deploy Sitecore with the Sitecore Azure Toolkit, run the following script in an elevated PowerShell console:


$thumbprint = (New-SelfSignedCertificate `
    -Subject "CN=$env:COMPUTERNAME @ Sitecore, Inc." `
    -Type SSLServerAuthentication `
    -FriendlyName "$env:USERNAME Certificate").Thumbprint

To export the certificate from local storage to a file on a disk and protect it with a password, run the following script in an elevated PowerShell console:


$certificateFilePath = "D:\Temp\$thumbprint.pfx"
Export-PfxCertificate `
    -cert cert:\LocalMachine\MY\$thumbprint `
    -FilePath "$certificateFilePath" `
    -Password (Read-Host -Prompt "Enter password that would protect the certificate" -AsSecureString)


To create a certificate for Sitecore Experience Commerce, use the following code and go to: Sitecore Experience Commerce 9.2 Initial Release. Under Release information, click Installation Guide - Azure App Service. In the Sitecore Experience Commerce Installation Guide for the Azure App Service .pdf, refer to the Preparing your environment section.


$CertificateFriendlyName = "Sitecore Commerce Services SSL Certificate"

$thumbprint = (New-SelfSignedCertificate `

                         -Subject $CertificateDnsName `

                         -DnsName $CertificateDnsName `
                         -KeyAlgorithm RSA `

                         -KeyLength 2048 `

                         -NotBefore (Get-Date) `

                         -NotAfter (Get-Date).AddYears(5) `

                         -CertStoreLocation $CertificateStore `

                         -FriendlyName $CertificateFriendlyName `

                         -HashAlgorithm SHA256 `

                         -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `

                         -KeySpec Signature `

                         -TextExtension @("{text}")


Do you have some feedback for us?

If you have suggestions for improving this article,