Command execution failed: The certificate of type “WebServicesExternal” cannot be assigned locally because it is assigned from the central management store


An interesting one today, something I didn’t think was possible, but apparently, it is!

A customer was able to assign an externally issued wildcard cert to the global scope, which like the OAuth certificate is stored in the Central Management Store and replicated to all servers. The result was that all Edge server and Front End servers all had this certificate assigned for their External services. When trying to change this via the Deployment Wizard I got the following error:

Checking things out from PowerShell, I could see things more clearly. Running the following command I could see all of the certificates scoped to “Global”:

Typically I would expect to only see the OAuth certificate here but in this case, External services across Front End and Edge servers were listed. I’m not sure whether or not this case should be possible, so if anyone knows please let us all know in the commands section below.

Here’s an example:

To get rid of the incorrectly assigned certificates I ran the following command for each “Use” I wanted to remove. In the examples case “Use” = “AccessEdgeExternal”:

After removing all the certs, I went back to the Deployment Wizard and was able to successfully assign all the correct certificates at the “Local” server scope:

Hope that helps someone out! Thanks for reading.