Environment
- App Control Console: All Supported Versions
Objective
To replace the App Control Server certificate used for Agent communication.
Resolution
If using a Self-signed Certificate:
- Login to the App Control Console > gear icon > System Configuration.
- From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
- Make any necessary updates (such as previous server name, "Valid For" period, etc)
- Click Generate.
If using a certificate issued by a Certificate Authority (CA):
- Obtain the new, unexpired CA issued certificate for the App Control Server.
- Login to the App Control Console > gear icon > System Configuration.
- From System Configuration tab: navigate to: Security > Import Server Certificate From PKCS12 File > Browse...
- Locate the certificate file, specify the Password and click Import.
After Updating Agent Server Certificate:
- The previous Communication Certificate will be displayed in the Current Server Certificate Details for 60 minutes.
- If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
- It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time.
Additional Notes
- The same certificate used for Agent/Server Communications can be used in IIS.
- The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes.
- In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
- There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
- Newly generated certificates can be found in the local certificate manager of the application server.
- The Edit button will be missing if Certificate Verification is enabled. Refer to Related Content if it needs to be disabled
- If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated
Related Content