Replace TLS Tunnel Certificate for inTune

 If you have your Intune TLS certificate expiring as you can see here, as its under 30 days......


You will need to renew this for the tunnel to still work, so to do that you will need to get a new external certificate from your certificate authority, which is different for each customer, however it will involve creating a CSR and giving that to the external provider to give you back a certificate which is in the format .cer.

When you get this response back you will need to marry up the CER with the private key which does not leave the machine you have generated it on, for this to work you need the PFX file with both the public and the private keys, below shows my file for this service.

This will have a password when you export it which you will need to know later on, now you need to get this file to the Linux servers, if you have more than one, so I would use WinSCP for the file transfer the Putty for the commands, your choice how you do this.

Check server is Healthy

First its best to check the server for the tunnel is Healthy before updating it, I do this using putty from the local login, so once have connected to the server using putty run this command:

mst-cli server status

This should return that all is well, and it should be running and healthy like this:


If it is not all fine, then fix that issues before you update the TLS certificate unless the issue is that it has expired!

WinSCP for file transfer

Start up WinSCP and from the main connection dialogue, in here the connectyion is SFTP then the hostname of the servers and the username as you can see here......


You will need to know the password, enter it in the password field then once connected you will need to navigate to the directory:

/etc/mstunnel/private

Notice that the current certificate is listed here as you can see below, this filename is "site.pfx" you will need this name later on.....this is the view from the right side of WinSCP



Save the PFX file on your local computer where you are using WinSCP from to a certain folder for this example I will use "c:\temp\data" ensure you call this file "site.pfx" in this folder as originally from above it is called "cert.pfx"

In the left side of WinSCP navigate to the folder c:\temp\data where the PFX file is located, then it should look like this......

Left is the local server in the correct folder and the right side the tunnel server, now you need to rename the current PFX file on the remote server from site.pfx to oldsite.pfx this is shown in the "red" box below.....

Once you have renamed the site.pfx to oldsite.pfx" then take the file called site.pfx on the left side and drag and drop this to the right side, this will copy it to the remote server in the correct folder.

Now you have the "site.pfx" in the correct folder on the remote server.

Putty in recycle services

Right, head back to the putty session you had when you checked the health of the server and then run this command:

mst-cli import_cert
That will then ask you for the PFX file password that you set when you exported it, enter this password now, and if correct you will get an "OK" this means you need to recycle the service with this command:

mst-cli server restart
This will then stop and start the service, not that once the service is started, if you then run this command:

mst-cli server status
You will notice that the health is "starting" - please note if the server checks into the portal at this time, it will report that the service container is unhealthy and give you an error, if this occurs, run the status command above again until it says "healthy" then a couple of moment later the portal will reflect the new status.

Verify with the website

Once you are in the endpoint management website, click on Tenant Admin then Tunnel and look at the sever name you should see its all green.


The in the main "health view" the TLS certificate should be all good once again......



Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„