Expiring Certificate - reporting and replacement

ERA is able to notify you about a Certificate or a Certification Authority that is going to expire. There are predefined Notifications for both ERA Certificate and ERA Certification Authority in the Notifications tab. To activate this feature, click Edit Notification and specify details in the Distribution section, such as email address or SNMP trap. Each user is able to see notifications only for those certificates which are in his home group (given he has assigned Read permissions for Certificates).


Make sure you have configured SMTP connection settings in Server settings first. Once done, you can edit notification to add Distribution email address.

If a computer has a certificate which is about to expire, its status information will automatically change. The status will be reported to Dashboard, Computers list , Status Overview and Certificate tab:


To replace an expiring Certification Authority or Certificate, follow these steps:

1.Create new Certification Authority with new validity period (in case the old one is going to expire), ideally making it valid immediately.

2.Create new Peer Certificates for ERA Server and other components (Agent/Proxy/MDM) within the validity period of your new Certification Authority.

3.Create policies to set new Peer Certificates. Apply the policies to ERA components, ERA Proxy, MDM and to ERA Agent on all client computers in your network.

4.Wait until the new Certification Authority and Peer Certificates are applied and the clients were replicated.


Ideally, wait 24 hours or check if all of your ERA components (Agents/Proxy) have replicated at least twice.

5.Replace Server certificate in ERA Server Settings so that clients are able to authenticate using their new Peer Certificates.

6.Once you have completed all the steps above, every client is connecting to ERA and all is working as expected, revoke old Peer Certificates and delete the old Certification Authority.