Skip to content

Certificate Renewal for TLS

The following article shows how to manually and automatically renew a X.509 certificate used for TLS in Xtract Universal.

Warning

Expired Certificate.
The Cryptographic key pair associated with the certificate is no longer valid and this may cause security risks. Always use a valid certificate. To access the Designer after a certificate has expired, delete the tls.json file in the Xtract Universal installation directory (C:\Program Files\XtractUniversal\config\servers\) and restart the Xtract Universal service. This resets all TLS settings in Xtract Universal, including the certificate selection.

Renew a Certificate Manually

  1. Before the old certificate expires, install a new certificate on the server machine.
  2. Open the Xtract Universal Designer and reference the new certificate, see Install an X.509 Certificate.
  3. Delete the old certificate from the Microsoft Certificate Store.
  1. Block external access to the Xtract Universal server using the firewall.
  2. Open the Xtract Universal Designer and navigate to Settings > Server.
  3. In the Web Server tab, select the protocol HTTP - Unrestricted to disable TLS.
  4. Click [OK] to save the settings. When prompted to restart the service, click [OK] again.
  5. Renew the certificate with the same key using Windows AD Certificate Services.
  6. Open the Xtract Universal Designer and enable TLS with the new certificate, see Activate TLS Encryption.
  7. Click [OK] to save the settings. When prompted to restart the service, click [OK] again.
  8. Allow external access to the Xtract Universal server using the firewall.

Note

If you use TLS encryption for the communication with the Xtract Universal Designer, make sure to also reference the new certificate in the Configuration Server tab of the server settings.

Renew a Certificate Automatically

If you're using win-acme for the renewal of Letsencrypt certificates, run the following PowerShell script with the same client that runs win-acme.

Download PowerShell Script for Letsencrypt Certificate Renewal

About win-acme

win-acme creates a scheduled task for the renewal process. When this process is triggered, it issues a new certificate and stores it in the Windows Certificate Store. The old certificate is deleted.

About the PowerShell Script

The xu-le.ps1 script replaces the old certificate in the Xtract Universal settings with the new certificate. No manual changes in Xtract Universal are required.

The xu-le.ps1 script requires 2 input parameters:

  • the thumbprint of the old certificate
  • the thumbprint of the new certificate
Last update: June 24, 2025
Written by: Valerie Schipka