For simplicity, we should recommend Renewing with an Official SSL certificate.
However, you may choose to continue to use a self-signed certificate.
A self-signed certificate may not be trusted by devices out of the box. Instead, the device requires a local copy to be able to trust the certificate. Prior to FileWave 13, this has only affected Mobile devices: Renew MDM self signed certificate
However, FileWave 13 now uses the certificate for additional security for non MDM communication and initial installation or upgrading to FileWave 13 from a release of 12 or lower can be observed from: Self-Signed Certificates Going Forward
Renewal though requires additional steps to ensure device communication is not lost.
The 'fwcontrol' command for creating certificates is now a 2 step process:
This first step generates a new certificate, but unlike before, it does not overwrite the current active certificate. Instead, this certificate is in a 'pending' state. You should see the following warning when creating the certificate:
Instead a new certificate key/crt pair of files may be seen in the following server folder and will show as 'pending', along with the original key/crt pair:
As indicated by the Important message, all clients will require a copy of this certificate to communicate with the server. During transition, it is important that both original and new certificate are installed on devices. Copy the server.crt.pending and rename appropriately for deployment. e.g. server.2019.04.30.crt
Installing the new certificate on Mobile devices is as before, except a profile needs to be made with this new certificate as well as the current certificate:
Installing the new certificate on Computers is the same as the process for Upgrading to FileWave 13, but this new certificate needs to be added to a Fileset manually. This could either be the current FileWave Upgrade Fileset or a new Fileset. Location of the file is either:
Set the certificate 'Verification' to 'Ignore At Verify' to ensure it is never removed
If the new certificate should become live on the server prior to the clients receiving this Fileset, those devices will no longer be manageable through FileWave and a manual process will be required to locally instal the certificate.
Whichever option is chosen, a method should be designed to monitor the installation process. Only once all devices are updated, should the 'pending' certificate become the active server certificate.
Options for monitoring could include:
A Custom Field could take the following form (assuming the example file name of 'server.2019.04.30.crt'):
This second step enables the 'pending' certificate as the active certificate, replacing the original server certificate file.
Once all clients have the new certificate within their respective trust stores, the 'pending' server certificate may now become active. When this update of the certificate occurs, any other elements requiring the server certificate should also be updated as this time.
The server certificate is stored as an 'Anchor certificate' within any created DEP profile. As with any certificate change, once the certificate is renewed, new DEP profiles should be created; do not duplicate.
The Custom Client Installer also needs to include the certificate. The following links allow for uploading the current server certificate within the 'Options'
Details highlighted on: Self-Signed Certificates Going Forward