Environment
- App Control Console: All Supported Versions
Objective
To replace the App Control Server certificate used for Agent communication.
Resolution
Please Note Prior To Replacing The Communication Certificate:
- Server 8.9.4 and higher includes a Certificate Delay Swap feature which will show the old Communication Certificate for a period of time before swapping the new one.
- Server 8.10.2 includes several Communication Certificate enhancements.
- Server 8.10.2 also includes an Update Schedule option. It is recommended to use the expiration date of the current certificate.
- The Update Schedule chosen will determine the Certificate Delay Swap.
|
If using a Self-signed Certificate:
- Login to the App Control Console > gear icon > System Configuration.
- From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
- Make any necessary updates (such as previous server name, "Valid For" period, etc)
- Click Generate.
If using a certificate issued by a Certificate Authority (CA):
- Obtain the new, unexpired CA issued certificate for the App Control Server.
- Login to the App Control Console > gear icon > System Configuration.
- From System Configuration tab: navigate to: Security > Import Server Certificate From PKCS12 File > Browse...
- Locate the certificate file, specify the Password and click Import.
After Updating Agent Server Certificate:
- The previous Communication Certificate will be displayed in the Current Server Certificate Details for 60 minutes.
- If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
- It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time as well.
Additional Notes
- The same certificate used for Agent/Server Communications can be used in IIS.
- The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes.
- In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
- There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
- Newly generated certificates can be found in the local certificate manager of the application server.
- The Edit button will be missing if Certificate Verification is enabled. Refer to Related Content if it needs to be disabled
- If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated
- An Alert can be created to warn before the certificate expires.
- Replacing the certificate IIS Console performance may be slow temporarily per this Document
Related Content