Migrating to a new certificate

If your existing certificates are due to expire, you can create new certificates. Distribute the new certificates to the relevant endpoints so that they can continue to successfully establish remote control sessions through the broker.

About this task

Migrating to a new certificate is required when you are using self-signed certificates and you enable the broker.trusted.certs.required property in the trc.properties file. For more information about signed certificates, see Strict Certificate Verification on Broker Connections.
When you are using CA signed certificates, only the root certificate must be in the server truststore. Root certificates typically have a long lifespan, with typical current CA certificates not expiring until after 10 or 20 years at the time of writing. The SSL certificates signed by the CA usually expire after one year. However, you must update only the SSL certificate on the broker. There is no need to update the truststore on all of the endpoints if any of the following conditions are true.
  • The new SSL certificates for the broker are issued by the same CA.
  • The root certificate for the CA is already in the truststore on the server and it has been passed to all of your endpoints,

Create your self-signed certificate and distribute it to all the endpoints before you install it on the broker. To migrate to a new certificate, complete the following steps:


  1. Generate the new certificate before the old certificate expires.
    For more information about creating a certificate, see Creating a self signed certificate. When to do this is determined by how long, you think it takes to update the endpoints with the new certificate. Leave the broker running with the old certificate until just before the expiration date.
  2. Add the new certificate to the truststore on the server.
    For more information about adding a certificate, see Adding a certificate to the truststore.
    • Targets that call home from inside the intranet automatically receive the new certificate from the server and update their truststore.
    • Targets that successfully start a session through a broker also automatically update the truststore. Therefore, the broker must continue running with the old certificate because the target trusts this certificate. The target does not yet trust the new certificate, and therefore would be unable to start a session through the broker.
  3. Install the new certificate on the broker before the old certificate expires,
    For more information about installing a certificate, see Configuring the keystore on the broker.
  4. Remove the old certificate from the truststore after it expires.


When the old certificate expires, all targets that updated their truststore, can establish a remote control session by using the broker.