The tunnel certificate will expire ... how to replace it before it does?
search cancel

The tunnel certificate will expire ... how to replace it before it does?


Article ID: 185384


Updated On:


DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) Unified Infrastructure Management for Mainframe


How do I replace a UIM hub tunnel certificate prior to expiration?

An alarm keeps generating/iterating each day, e.g.,

"The tunnel certificate for <hubname> (x.x.x.x) will expire in n days."



- UIM any version


- Guidance

- Administration of tunnel certificates/cert expiration


Important note: It is important to distinguish between the "client" certificates and the "Server CA" certificate.
If the Server/CA certificate is expired, or about to expire, it must be renewed first.   Renewing the CA certificate will invalidate all issued client certificates.   You must then re-issue the client certificates.
Renewing the CA certificate is discussed here:  KB265416
After you have done this, the following article describes how to replace the client certificates with new ones:  KB127959
The following process describes how to renew the client-side certificates when the CA/Server certificate is *not* expired and does *not* need to be renewed.
First, navigate to and select the Tunnel Server hub where the client certificates are generated.

Open the hub GUI and go to the 'Tunnels' tab and then 'tunnel server' and locate the expired cert.  Then create a new one with the same info by clicking New.

From here, enter all the info for the new cert. Note that you can leave the default of 365 days or make it longer, e.g., 3650 (10 years),
as long as that doesn't violate your corporate/customer's security policy/practices.

After you click Ok, you will be promoted to reenter the password to confirm it.

Now you should see two certs - the new and old one.  Highlight the new one (check the expiration date) and click View.

Next  click on the "Certificate" Tab and then click "Copy".

This will copy the certificate info to your Clipboard.

Now, open the hub CLIENT's hub GUI in IM... Go to "Tunnels" and then select the "Client Configuration," Tab find ad highlight the client entry, then click "Edit".


This will bring up the client info, including the current certificate.  

Lastly, just highlight/select all of the existing cert info, and clear that cert info out, and then paste in the new certificate info that you had copied to your clipboard (or notepad).

Now you can click OK and the hub will restart using the new certificate.

Make sure you delete the old cert -- but don't do it until after you have made this change, because if you delete it first, it could stop you from being able to complete the changes.

Additional Information

If the Tunnel certificate already expired on some hub servers, here is a KB Article that discusses the steps to take if the certificate has already expired.

Hub tunnels lost connection due to certificate expiration and no longer appear in IM