Applies to partners that have accounts in Nerdio for Azure (NFA) or Nerdio Private Cloud (NPC)
Subject: IMPORTANT: SSL Expiration and Replacement – ACTION REQUIRED
On February 1st, 2023, the SSL wildcard certificate for *.nerdio.net will be expiring. This SSL certificate is used by all Nerdio for Azure and Nerdio Private Cloud accounts. Nerdio automation will manage the changes required to update the certificate in your Nerdio environment(s) but you may berequired to take action prior to this and before the certificate expiration date.
NOTE: If you have completed this procedure for the expiration of the certificate in 2021, no action will be needed. A scheduled task was added to your environment via the process below and this will update your certificate.
Why am I getting this notice?
You are a Nerdio partner and have active Nerdio for Azure or Nerdio Private Cloud accounts.
What actions do I need to take?
Before February 1st, 2023 log into DC01 in each of your Nerdio for Azure deployments and execute the script provided by Nerdio (download the appropriate files). This script will automatically update the SSL certificate on VMs in the environment.
-
Notes for NPC
- The CM and SG will be required to have a reboot performed. The reboot schedule is Saturdays before expiration at between 9:15 and 9:30 p.m. CT. Scripts executed less than 7 days before the expiration will have a scheduled reboot the night before expiration March 19th between 9:15 and 9:30 p.m. CT.
- Partners can perform the reboots ahead of time (apart from the scheduled reboots) to apply the new certificates on their timeline.
-
Notes for NFA (WVD)
-
The Nerdio.net certificate is not used for individual session hosts (the WVD agent and broker service handle this automatically). However, the Nerdio certificate is applied to DC & FS (for admin RDP connectivity), and installed on DC & PRX for AD FS services, so the installation should be completed for WVD environments as well.
-
For a step by step guide and reference to the PowerShell execution click here.
What will happen if I do not take action?
On February 1st the *.nerdio.net wildcard SSL certificate used by Nerdio for Azure and Nerdio Private Cloud accounts will expire and users will not be able to connect to hosts via RDS sessions or WVD hosts where ADFS is implemented.
What needs to happen if I manually imported the *.nerdio.net wildcard SSL certificate into my customer’s Thin Client end-user devices?
You can download the latest version of the certificate here. Update the Thin Clients using this updated SSL certificate.
Common Questions:
- Does this apply to all my Nerdio for Azure accounts?
- Yes – accounts that use *.nerdio.net. If you have run the previous Install_AutoCert.ps1 you can run this again to ensure *.nerdio.net wildcard certificate is updated in the future. Future updates would also include the future automated update for *.adminportal.pro.
- How long will it be before the new SSL certificate expires again?
- The new certificate is valid for one year. However, you will not have to go through these steps again in the future since the automation installed by the script that you will run is going to update the SSL certificate in the future before it expires.
-
Is there anything I need to do on my users’ local devices?
- Check the “trust this publisher” checkbox and the message will no longer come up
- Generate new RDP files in NAP and distribute to the users before March 20th
- The RDP files generated by the Nerdio Admin Portal (NAP) are signed with the then-current SSL certificate. Therefore, after March 20th users of NAP-generated RDP files may receive an “unknown publisher” warning.
- What about PRX01 ADFS proxy server that’s in the DMZ?
- For NFA accounts, Nerdio will perform updates on the PRX01 VMs. This is only relevant if you are using Active Directory Federation Services (ADFS).
- Will I have to do this again in one year when the new certificate expires?
- No. The actions you will take prior to March 20th will configure all VMs to automatically update themselves when the certificate expires in 1 year.
What if I still have questions or need help?
Please don’t hesitate to contact us at engineering@getnerdio.com and we’ll answer any questions you may have.
Downloads for NFA
- nerdio.net.cer - certificate file - Current certificate for *nerdio.net
- Install_AutoCert.ps1 - PowerShell script - Script to execute on DC01
Downloads for NPC
- nerdio.net.cer - certificate file - Current certificate for *nerdio.net
- Install_AutoCertNPC.ps1 - PowerShell script - Script to execute on DC
- Install_AutoCertNPCSG01 - PowerShell script - Script to execute on SG
- Install_AutoCertNPCPRX - PowerShell script - Script to execute on PRX
Comments (0 comments)