Understanding the Certificate Update Schedule

When you specify a new Agent Communication Certificate, the App Control Server does not immediately switch to it. Instead, the Update Schedule specified creates a swap delay, which allows Agents to continue using the existing Communication Certificate. This feature allows for

• Distribution of the updated Trusted Certificate List to all the Agents before the new Certificate is used.
• Reduced chances of Communication Key Overuse, which could impact Console performance. 

Once the swap delay expires, the Server will switch to the new Communication Certificate. When specifying an Update Schedule, be sure to consider

• Time remaining until the current Communication Certificate expires.
• Agent connectivity requirements to obtain files from the Certificate Download Location (ex: VPN access, holiday schedules, maintenance windwos, etc)

More details on these settings can be found in the User Guide > System Configuration > Securing Agent-Server Communications.

Replacing the Agent Communication Certificate

1. Log in to the App Control Console and navigate to Settings > System Configuration > Security
   • If using the Self-signed Certificate generated by the Console
     1. Current Server Certificate Details > click Edit
     2. Make any necessary updates (such as previous server name, "Valid For" period, etc)
   • If importing a PKCS12 File (ex: Certificate Authority Cert)
     1. Import Server Certificate > click Choose File
     2. Locate the desired certificate file and specify the Password for the certificate.
2. Configure the Certificate Delay Swap
   • It is recommended to use the defaults (720 minutes prior to the current Certificate Expiration Date).
3. Click Generate (if editing) or Import (if using a file).
   • Server 8.11.2+ The Current Server Certificate and Pending Server Certificate are shown.
4. Complete the steps, After Updating Agent Server Certificate below.

After Replacing the Agent Communication Certificate:

• The previous Communication Certificate will be displayed in the Current Server Certificate Details for the duration specified in the Update Schedule.
• If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
• It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time as well.
  • As the Server Address matches, the same certificate can be used if desired.
  • If using the Self-signed Certificate for IIS: First export the new certificate with Private Key & Extended Properties.
  • Import & Bind the new certificate to Port 443 in IIS.
• If a secondary server is configured (ex: for Disaster Recovery)
  • The matching Agent Communication Certificate should be copied (with Private Key) to the secondary server and imported in the Local Machine Certificate Store > Trusted People.
  • Verify IIS on the secondary server has the matching certificate from the Primary bound.

• A PFX or PKCS#12 Certificate File is required when uploading, as the App Control Server will require all elements of the Chain of Trust for the Certificate.
• There is no option to generate a Certificate Signing Request (CSR) within the Console.
  • Work with the relevant Certificate Authority to obtain a CSR, if required.
• The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes.
  • In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
• Newly generated certificates can be found in the Local Certificate Manager > Trusted People on the application server.
• If the clock is off on the App Control server when regenerated, a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated