ProfileUnity Certificate Thumbprint Alignment
Understanding Which Thumbprints Must Match, Where to Find Them, and How to Correct Mismatches
|
ℹ️ About This Article ProfileUnity uses three certificates: one for MongoDB (ProfileUnity-Mongo), one for the License Server, and one for the web console (Liquidware Certificate). When these certificates are changed or renewed, the thumbprint values in the associated configuration files must be updated to match. This article explains which thumbprints must be kept in sync, where to find the correct values, and how to fix a mismatch. |
| ⚠ IMPORTANT — Review with Liquidware Support if you have Questions or Before Making Changes |
|
ℹ️ Advanced Configuration — For Experienced Administrators The settings and procedures covered in this article involve direct modification of certificate configuration files on the ProfileUnity server. They are intended for experienced administrators who are comfortable working with Windows certificate stores and ProfileUnity service configuration. Most deployments will not require manual thumbprint updates outside of the standard certificate import workflow in the ProfileUnity Console. Not sure whether a change is right for your environment? Liquidware Technical Support is happy to help. Our engineers will review the proposed change in the context of your specific deployment before anything is applied. |
The Three Certificates
ProfileUnity uses three distinct certificates. Each one has a different purpose and is referenced in different places:
- ProfileUnity-Mongo certificate — This is the TLS certificate MongoDB uses to secure database connections. Its thumbprint must be set correctly in two places: the MongoDB configuration file and the License Server XML file. These two values must always match.
- Liquidware ProfileUnity License Server certificate — This is the License Server’s own identity certificate. Its thumbprint is only referenced in one place: the License Server XML file. It is a separate value from the Mongo cert thumbprint in the same file.
- Liquidware Certificate (Console) — This is the web console TLS certificate. It is generated and managed automatically by the ProfileUnity service and is not referenced by thumbprint in any configuration file. You do not need to update any settings when this cert is regenerated.
|
In a Cluster Each node in a ProfileUnity cluster has its own ProfileUnity-Mongo certificate with its own unique thumbprint. On each node, mongod.cfg and MongoCertStoreThumbprint in the License Server XML must match each other. The thumbprint values will differ between nodes — that is expected and correct. |
Thumbprint Alignment Reference
The table below shows which certificate thumbprint must appear in which configuration file, and where to get the correct value for each.
| Certificate | Thumbprint Must Match In... | Where to Get the Value | Notes |
|
ProfileUnity-Mongo Used by MongoDB for TLS |
mongod.cfg certificateSelector: thumbprint=
LicenseServer.exe.xml MongoCertStoreThumbprint |
Open certmgr.msc → Local Computer → Personal → Certificates. Find the certificate named ProfileUnity-Mongo and copy its thumbprint from the Details tab. | Both files must have the same thumbprint value. In a cluster, each node has its own ProfileUnity-Mongo cert with its own unique thumbprint — values will differ between nodes. |
|
License Server cert License Server identity |
LicenseServer.exe.xml CertStoreThumbprint |
Open certmgr.msc → Local Computer → Personal → Certificates. Find the certificate named "Liquidware ProfileUnity License Server" and copy its thumbprint. | Only referenced in one place. Get the thumbprint from certmgr.msc — do not copy it from mongod.cfg. |
|
Liquidware Certificate Web console TLS |
Not referenced by thumbprint in any configuration file. Managed automatically by the ProfileUnity service. | No manual update needed. To regenerate: delete from both Trusted Root and Personal in certmgr.msc, then restart the ProfileUnity service. | Self-generated by the service. If the web console shows a certificate error, see the Scenario section below. |
To remove self signed certificates and use your own follow this process
Remove ProfileUnity Self Signed Certs
How to Find and Copy a Thumbprint
All three ProfileUnity certificates are stored in the Windows machine certificate store on the ProfileUnity server. To find a thumbprint:
- Press Windows + R, type certmgr.msc, and press Enter.
- In the left panel, expand Local Computer → Personal → Certificates.
- Locate the certificate you need (ProfileUnity-Mongo or Liquidware ProfileUnity License Server).
- Double-click the certificate to open it, then click the Details tab.
- Scroll down to the Thumbprint field and click it. The thumbprint value will appear in the box below. Select all and copy it.
- Remove any leading space before pasting. Windows sometimes inserts a non-printing character at the start of the thumbprint when copying — delete and retype the first character if the service fails to start after updating the value.
|
Thumbprint Format Thumbprints are hex strings without spaces or separators, for example: 78E6B34F82D9901552B69CA66F997151CBA7EAE9. The value in mongod.cfg and in the License Server XML must be in this exact format with no extra spaces, line breaks, or special characters. |
Where to Update the Thumbprint Values
File 1 — mongod.cfg (MongoDB configuration)
Location: C:\Program Files\MongoDB\mongod.cfg
Find the tls section and update the thumbprint value:
| net: |
| tls: |
| mode: requireTLS |
| certificateSelector: thumbprint=<PASTE PROFILEUNITY-MONGO THUMBPRINT HERE> |
| disabledProtocols: TLS1_0,TLS1_1 |
|
After Editing mongod.cfg Restart the MongoDB service after saving changes to mongod.cfg. If MongoDB fails to start, the thumbprint value likely has a typo or contains an invisible character. Re-copy it from certmgr.msc carefully. |
File 2 — ProfileUnity.LicenseServer.exe.xml
Location: C:\Program Files (x86)\Liquidware Labs\ProfileUnity\License Server\ProfileUnity.LicenseServer.exe.xml
This file contains three separate settings. Update the two thumbprint values as shown:
| <!-- Copy the encrypted connection string from settings.json --> |
| <setting name="MongoConnStr" value="...encrypted..." /> |
| <!-- Thumbprint of the License Server certificate (from certmgr.msc) --> |
| <setting name="CertStoreThumbprint" value="<LICENSE SERVER CERT THUMBPRINT>" /> |
| <!-- Thumbprint from mongod.cfg certificateSelector (must match mongod.cfg) --> |
| <setting name="MongoCertStoreThumbprint" value="<PROFILEUNITY-MONGO THUMBPRINT>" /> |
|
Easy Rule MongoCertStoreThumbprint in this file must always equal the thumbprint in mongod.cfg on the same server. CertStoreThumbprint comes from a completely different certificate — the License Server cert in certmgr.msc. They will never be the same value. |
|
After Editing the License Server XML Restart the ProfileUnity License Server service after saving changes. Check the License Server log at C:\Program Files (x86)\Liquidware Labs\ProfileUnity\License Server\Logs if the service fails to start. |
Common Symptoms and Fixes
If thumbprints are out of sync, one or more services will fail to start or will report connection errors. Use the table below to identify the problem and know exactly what to fix:
| Symptom | What to Check and Fix |
| MongoDB service fails to start | The thumbprint in mongod.cfg does not match the ProfileUnity-Mongo certificate in the machine certificate store. Open certmgr.msc, copy the thumbprint from the ProfileUnity-Mongo certificate in Local Computer → Personal, and update certificateSelector: thumbprint= in mongod.cfg. Restart MongoDB. |
| ProfileUnity License Server fails to start | MongoCertStoreThumbprint in LicenseServer.exe.xml does not match the thumbprint in mongod.cfg. Copy the thumbprint from mongod.cfg and paste it into MongoCertStoreThumbprint. Restart the License Server service. |
| License Server starts but cannot connect to MongoDB | MongoConnStr in LicenseServer.exe.xml is stale or incorrect. Copy the current encrypted connection string from settings.json and paste it into the MongoConnStr value. Restart the License Server service. |
| Services start but web console shows certificate errors | The Liquidware Certificate (web console cert) may need to be regenerated. Delete it from both Trusted Root and Personal in certmgr.msc, then restart the ProfileUnity service. The service will auto-generate a new certificate. |
| All services start but clients cannot reach the console | The console certificate CN may not match the server name being accessed. Connect to MongoDB via Studio 3T and update the local-settings-ServerName key in ProfileUnityDotNet → Key Values to match the correct certificate CN. Restart the ProfileUnity service. |
| MongoDB starts but the thumbprint value in mongod.cfg looks correct | Check for a non-printing character at the start of the thumbprint value — this is a common copy-paste issue from certmgr.msc. Delete and retype the very first character of the thumbprint value in mongod.cfg and try again. |
Regenerating the Liquidware Self Signed Certificate
The Liquidware Certificate is the self-signed TLS certificate that ProfileUnity generates automatically for the web console. It is not referenced by thumbprint in any configuration file — the service manages it entirely on its own.
You may need to regenerate it if the certificate has expired, if it was accidentally deleted, or if the console is showing a certificate error after a server change. The process is straightforward: delete the old certificate from both certificate store locations and restart the ProfileUnity service. The service will generate a new one automatically.
|
No Config File Changes Needed Unlike the ProfileUnity-Mongo and License Server certificates, regenerating the Liquidware Certificate does not require updating any thumbprint values in configuration files. The service handles everything automatically on restart. |
Steps to Regenerate
- Press Windows + R, type certmgr.msc, and press Enter.
- Navigate to Local Computer → Trusted Root Certification Authorities → Certificates. Locate the certificate named Liquidware Certificate and delete it.
- Navigate to Local Computer → Personal → Certificates. Locate the certificate named Liquidware Certificate and delete it from here as well.
- Restart the ProfileUnity service in Services.msc.
- The ProfileUnity service will automatically generate a new Liquidware Certificate and install it in both certificate store locations.
- Open a browser and navigate to the ProfileUnity Console. Confirm the console loads and the certificate is present in certmgr.msc under both Trusted Root and Personal.
|
Browser Still Shows a Certificate Warning After Regeneration The auto-generated Liquidware Certificate is self-signed, which means browsers will show a security warning unless the certificate is trusted by the client machine. This is expected behavior. If a trusted certificate from a CA is required, import it via the ProfileUnity Console under Administration → Certificates instead of regenerating the self-signed one. |
|
If the Service Fails to Start After Regeneration Check that the Liquidware Certificate was fully deleted from both Trusted Root and Personal before restarting. If any instance of the old certificate remains, the service may detect it and skip generation. Delete any remaining instance and restart the service again. |
|
Need Assistance? If you are unsure which certificate is causing the issue, or if services still fail to start after following the steps above, please contact Liquidware Technical Support. |
| Product | Liquidware ProfileUnity |
| Component | Console / MongoDB / License Server |
| Applies To | ProfileUnity 6.8.5 and later |