Steps to replace or update the Server certificate used for Agent communication.

• App Control Console: All Supported Versions

Understanding Certificate Delay Swap (Update Schedule):

To help prevent Communication Key Overuse, beginning with Server 8.10.2 an Update Schedule for the new Communication Certificate can be specified when using either a Self-signed Certificate or a Certificate Authority Certificate. If Agents have not received the updated Trusted Certificate List before the new Communication Certificate is activated, the Communication Key will be used for Agent communication. 

Overuse of the Communication Key may result in poor Console performance. For this reason it is recommended to:

• Replace the Communication Certificate before it expires
• Specify Agent Certificate Update settings relative to your environment (Agent connectivity, VPN requirements for file transfers, etc)
• Follow the complete procedure below, including the steps After Updating the Communication Certificate.

More details on these settings can be found in the User Guide > System Configuration > Securing Agent-Server Communications.

Using a Self-signed Certificate:

1. Log in to the App Control Console > gear icon > System Configuration.
2. From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
3. Make any necessary updates (such as previous server name, "Valid For" period, etc)
4. Configure the Certificate Delay Swap
   • It is recommended to use the defaults (12 hours prior to the current Certificate Expiration Date).
5. Click Generate.
   • Reminder: The current Communication Certificate will still display/be used based on the Update Schedule chosen.
6. Complete the steps, After Updating Agent Server Certificate below.

Using a Certificate Authority (CA) Issued Certificate:

1. Obtain the new, unexpired CA issued certificate for the Server.
2. Log in to the App Control Console and navigate to: Settings > System Configuration > Security.
3. In the section: Import Server Certificate From PKCS12 File > click Browse...
4. Locate the certificate file and specify the Password as provided by the CA.
5. Configure the Certificate Delay Swap
   • It is recommended to use the defaults (12 hours prior to the current Certificate Expiration Date).
6. Click Import.
   • Reminder: The current Communication Certificate will still display/be used based on the Update Schedule chosen.
7. Complete the steps, After Updating Agent Server Certificate below.

After Updating Agent Server Certificate:

1. The previous Communication Certificate will be displayed in the Current Server Certificate Details for the duration specified in the Update Schedule.
2. If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
3. It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time as well.

• • If using the Self-signed Certificate for IIS: First export the new certificate with Private Key & Extended Properties.
  • Import & Bind the new certificate to Port 443 in IIS.

• The same certificate used for Agent/Server Communications can be used in IIS.
• A PFX or PKCS#12 Certificate File is required when uploading, as the App Control Server will require all elements of the Chain of Trust for the Certificate.
• There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
• The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes.
• In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
• Newly generated certificates can be found in the Local Certificate Manager of the application server.
• If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated