Devolutions ForumDevolutions Forum

Update SSL Certificate From Central

Update SSL Certificate From Central

1 vote

avatar
jol

Hi

We have 85 gateways running and we have our own SSL Certificate on all the gateways to support the HTTPS, it will be nice with a function to rollout a new cert directly from the Devolution server interface also now SSL Certs life time is getting shorter and shorter its a big job to go to all gateways and replace the cert each time is should be renewed.

All Comments (4)

avatar
Benoit Cortier

Hi @jol

That’s a lot of instances, so I understand where you’re coming from.

A good first step would be to understand your environment a bit better. Are your gateways running on Windows or Linux?

Depending on the platform, standard certificate automation may already cover this use case well.
On Windows, AD CS auto-enrollment can often handle certificate deployment and renewal, and Devolutions Gateway can use the native Windows certificate store, which is generally a more secure approach than distributing certificate files centrally.
On Linux, ACME-based automation may be a better fit.
If one of those approaches would work in your environment, it may already solve the operational overhead without requiring Devolutions Server and yourself to distribute the certificates directly.

That said, what you’re asking for is technically feasible, and we’re open to the idea. We would just want to better understand the use case and requirements before evaluating how it should be implemented.

Best regards,

Benoit Cortier

avatar
jol

Hi We are a MSP that are using the DVLS GW To connect to our customers enviroment
The GW is running on a windows server in the Customer domain but we use a central dvls Server to manage all our customers from.
today we are using the Windows Certificate store on the GW Server to store our public * certificate for the GW.

Best regards
Jacob

avatar
Benoit Cortier

Hi,

Thank you, that helps.

One more question to better understand your workflow: are you generating the wildcard certificate on your side first, and then importing it into each customer’s infrastructure?

I assume AD CS auto-enrollment is not an option in your case. Is that correct?

If so, would the feature you need be a way to update the Windows certificate store on each Gateway server with the renewed certificate?

Benoit Cortier

avatar
jol

Yes we have a public Wildcard certificate that we are installing when setting up a gateway but here the most ignoring thing with using the cert store is that you have to give network service read access to the private key

But yes a way to push out a new cert from central place.