Skip to content

Certificate Renewal for TLS

The following article shows how to manually and automatically renew a X.509 certificate used for TLS in Xtract Universal.

Warning

Expired Certificate.
The Cryptographic key pair associated with the certificate is no longer valid and this may cause security risks. Always use a valid certificate. To access the Designer after a certificate has expired, delete the tls.json file in the Xtract Universal installation directory (C:\Program Files\XtractUniversal\config\servers\) and restart the Xtract Universal service. This resets all TLS settings in Xtract Universal, including the certificate selection.

Renewal with New Key

To renew a certificate with new key:

  1. Before the old certificate expires, install a new certificate on the server machine.
  2. Open the Xtract Universal Designer and reference the new certificate, see Install an X.509 Certificate.
  3. Delete the old certificate from the Microsoft Certificate Store.

Renewal with the Same Key"

To renew a certificate with the same key as before:

  1. Block external access to the Xtract Universal server using the firewall.
  2. Open the Xtract Universal Designer and navigate to Settings > Server.
  3. In the Web Server tab, select the protocol HTTP - Unrestricted to disable TLS.
  4. Click [OK] to save the settings. When prompted to restart the service, click [OK] again.
  5. Renew the certificate with the same key using Windows AD Certificate Services.
  6. Open the Xtract Universal Designer and enable TLS with the new certificate, see Activate TLS Encryption.
  7. Click [OK] to save the settings. When prompted to restart the service, click [OK] again.
  8. Allow external access to the Xtract Universal server using the firewall.

Note

If you use TLS encryption for the communication with the Xtract Universal Designer, make sure to also reference the new certificate in the Configuration Server tab of the server settings.

Last update: January 7, 2026
Written by: Valerie Schipka