Each root, intermediate, server, and code-signing certificate remains valid for a specific period of time (Valid From and Valid To dates). When a certificate expires, system users receive error messages.
Ensuring continued secure system access requires advance planning. For each expiring certificate, you must re-sign it and
on signature, the CA can modify the expiration date. As of
Niagara 4.14, you can use the Signing Service to renew certificates (see Niagara Signing Service Guide).If your company uses a third-party CA, the whole process can take a couple of weeks. As a best practice, keep track of each
certificate expiration date, and plan ahead to replace old certificates before they expire.
Additional details
- FOXS connections between stations that are using Allowed Hosts exemptions will still connect even when a certificate has expired.
- FOXS connections between stations not using Allowed Hosts exemptions will fail to reconnect. Certificates must be reissued
for successful connections.
- Browser connections will start showing messages that the certificate is no longer trusted, but will still connect.
-
Workbench will connect even though a certificate has expired.
NOTE: Using Allowed Hosts exemptions is not as secure as using signed certificates without exemptions. The use of signed certificates
means that each certificate will need to be re-issued before they expire to avoid connection problems. It is important to
note that using signed certificates without exemptions provides a much more secure environment.