This article shows how to manually and automatically renew a X.509 certificate used for TLS in yunIO.
Renewing a Certificate Manually #
Warning! The certificate is already expired:
To access the Designer after a certificate has expired, delete the
tls.json file in the installation directory of yunIO and restart the yunIO service.
This resets all TLS settings in yunIO, including the certificate selection.
Renew a Certificate with New Key
- Before the old certificate expires, install a new certificate on the server machine.
- Open the yunIO Designer and switch to the new certificate, see Server Settings - Transport Layer Security.
- Delete the old certificate from the Microsoft Certificate Store.
Renew a Certificate with the Same Key
- Block external access to yunIO using the firewall.
- Open the yunIO Designer and enable anonymous access, see Server Settings - Anonymous Access.
- Disable TLS in the Designer, see Server Settings - Transport Layer Security.
- Renew the certificate with the same key using Windows AD Certificate Services.
- Enable TLS in the Designer with the new certificate.
- Disable anonymous access in the Designer.
- Allow external access to yunIO using the firewall.
Renewing a Certificate Automatically #
If you’re using win-acme for the renewal of Letsencrypt certificates, run the following PowerShell script with the same client that runs win-acme:
win-acme creates a scheduled task for the renewal process. When this process is triggered, it issues a new certificate and stores it in the Windows Certificate Store. The old certificate is deleted.
About the PowerShell Script
yunio-le.ps1 script replaces the old certificate in the yunIO settings with the new certificate.
No manual changes in yunIO are required.
yunio-le.ps1 script requires 2 input parameters:
- the thumbprint of the old certificate
- the thumbprint of the new certificate