Microsoft Tunnel – Update SSL certificate

Certificates need to be updated. If you looking out for a “how to” for Microsoft Tunnel you’ll find a lot of articles for installing the appliance and the certificate, but I didn’t found any manual for only updating the certificate. Therefore I wrote one on my own:

There are two ways depeding on your type of certificate:

For PFX

1.) rename your current certificate under /etc/mstunnel/private/site.pfx to something else (e.g. site.pfx.2021.old)

2.) copy your new certificate to /etc/mstunnel/private keep in mind that it has to be named site.pfx

3.) control owner ship and access rights and correct them if need

For PEM

1.) rename your current key file under /etc/mstunnel/private/site.key to something else (e.g. site.key.2021.old)

2.) rename your current certificate under /etc/mstunnel/certs/site.crt to something else (e.g. site.crt.2021.old)

3.) copy your new key file to /etc/mstunnel/private keep in mind that it has to be named site.key

4.) control owner ship and access rights and correct them if need

5.) copy your new certificate to /etc/mstunnel/certs keep in mind that it has to be named site.crt

6.) control owner ship and access rights and correct them if need

The next step is identical for both types. You’ll need to use the Micosoft Tunnel command-line tool (File and command reference for Microsoft Tunnel Gateway, a VPN solution for Microsoft Intune | Microsoft Docs)

Update the certificate:

mst-cli import_cert

fill in the password for your certificate

Restart the Microsoft Tunnel service:

mst-cli server restart

That’s it. After a few minutes you’ll see the updated status of your certificate in the Microsoft Endpoint Manager admin center.