Load server certificate dynamically without stop/start

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
ssmaung
Sr. Member
Sr. Member
Posts: 17
Joined: 09 Jun 2021, 11:42

Load server certificate dynamically without stop/start

Post by ssmaung »

Hello,
I have learnt that when <GenerateCertificate> is set to true, server certificate is created if certificate is not available.
Is there a way that Server can load self-signed certificate dynamically without server stop/start?

I have the following scenario.
1) Server is running and server certificate is there.
2) Delete server certificate while it is still running (found that it can be done)
3) Create new server certificate while it is still running (found that it can be done)
Question:
How to let Server load newly created certificate without server stop/start?

The background of this question is I would like to update certificate expired date without server restart.

Thank you in advance.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Load server certificate dynamically without stop/start

Post by Support Team »

Hello,

no the scenario you describe is not prefered. The server will "detect" on startup if certificate is there and loads it (or creates one if none is present). Renewing expired certificates at runtime is the job of an GDS server, because only updating the serverside cert, will not help. All clients must update/accept the new server cert as well. To force them to do so best approach is to drop all connections (close all endpoints), hence all Clients must reconnect. In an environment with GDS Server also the Clients will get their new certs according to a roll out strategy.

BTW a good server will not let you "externally" delete files in his cert store (e.g. have cert stored in hardware SecureElement, or TPM module) or at least protect the store (e.g. access permissions on files and folders).
Best regards
Unified Automation Support Team

ssmaung
Sr. Member
Sr. Member
Posts: 17
Joined: 09 Jun 2021, 11:42

Re: Load server certificate dynamically without stop/start

Post by ssmaung »

Dear Support Team,
Thank you very much for prompt reply and also explaining about good practice.
Really appreciate it and I should consider better approach.
Thank you.

Post Reply