Have successfully configured Secured Hub using Third party self signed certificate, with Primary Hub as Tunnel Client and Secondary Hub as Tunnel Server.

However not able to upgrade other (non-hub) robots.

In the Nimsoft/robot/ folder I consulted the proxy_check.log file which contains the following:

Sep 22 03:39:36:179 0 proxy_check: Determining if the hub is running locally
Sep 22 03:39:36:325 2 proxy_check: RAND wrote 1024 new random bytes to robot/rand.rnd
Sep 22 03:39:36:325 2 proxy_check: RAND snagged 1024 random bytes from robot/rand.rnd
Sep 22 03:39:36:325 2 proxy_check: RAND claims sufficient entropy for the PRNG
Sep 22 03:39:36:326 1 proxy_check: Using OpenSSL 1.0.2p  14 Aug 2018
Sep 22 03:39:36:326 1 proxy_check: (ssl_ctx_setup) ca location -> robot/certs/CA.pem
Sep 22 03:39:36:326 1 proxy_check: (ssl_ctx_setup) certificate -> robot/certs/sechub.pem
Sep 22 03:39:36:326 1 proxy_check: (ssl_ctx_setup) private key file -> robot/certs/sechub.key.pem
Sep 22 03:39:36:326 0 proxy_check: (proxy) setting max queued requests inbound: 112, outbound: 112
Sep 22 03:39:36:326 1 proxy_check: proxy setup: Looking for available proxy port starting from 48100
Sep 22 03:39:36:327 0 proxy_check: proxy setup: Using proxy port 127.0.0.1:48100
Sep 22 03:39:36:327 2 proxy_check: nimSessionServerStrict - host 127.0.0.1, port = 48100
Sep 22 03:39:36:327 2 proxy_check: sockServer - <hostname>:127.0.0.1/48100:fd=800
Sep 22 03:39:36:327 0 proxy_check: Sending get_info request to remote hub to verify proxy communications
Sep 22 03:39:36:369 1 proxy_check: (outbound proxy) Timeout or comm error waiting for reply. rc=-2
Sep 22 03:39:36:369 0 proxy_check: Failed to send message to hub

and/or:

Sep 10 15:43:59:951 0 proxy_check: proxy setup: Using proxy port 127.0.0.1:48100
Sep 10 15:43:59:951 2 proxy_check: nimSessionServerStrict - host 127.0.0.1, port = 48100
Sep 10 15:43:59:951 0 proxy_check: Sending get_info request to remote hub to verify proxy communications
Sep 10 15:43:59:951 1 proxy_check: (ssl_verify_cert_hostname) - SSL certificate subjectAltName doesn't match given hostname(##.##.##.##)
Sep 10 15:43:59:951 1 proxy_check: (ssl_verify_cert_hostname) - SSL certificate common name doesn't match given hostname(##.##.##.##)
Sep 10 15:43:59:967 1 proxy_check: (ssl_verify_cert_hostname) - SSL certificate subjectAltName doesn't match given hostname(<hostname>)
Sep 10 15:43:59:967 1 proxy_check: (ssl_verify_cert_hostname) - SSL certificate common name doesn't match given hostname(<hostname>)
Sep 10 15:43:59:967 1 proxy_check: ssl_connect - Peer certificate: application verification failure
Sep 10 15:43:59:967 1 proxy_check: ssl_log_error - SSL error checking SSL object after connection
Sep 10 15:43:59:967 1 proxy_check: (proxy_ssl_connect) ssl_connect failed to ##.##.##.##:48000 - rc : 50.

UIM 20.3.3 or higher

hub_secure 9.33SHF1 or higher

robot_update_secure 9.33SHF5 or higher

The certificate used for the tunnel server (and thus for the robots assuming you are using the same certificate) should be issued to the actual FQDN of the local server.

From the techdocs:

Alternatively you can also can use wildcard certificates  but they must be issued to a generic/true wildcard  (*)  as opposed to a domain-qualified wildcard (*.example.domain.com)

In the case of a third party/CA Signed certificate, the server may have an external name e.g. (hostname.example.domain.com) and an internal name (hostname.example.network.local) and the certificate will have been issued to the external FQDN.  The robot would be checking the internal FQDN. So in this case you should obtain a new certificate where the SubjectName is the external FQDN, and the SubjectAlternateName is the internal FQDN.  This will allow the same certificate to be used for the tunnel server and the robots.

Manually Upgrade to Secure Hub and Robot