Single Registration Certificate Renewal

Certificate Renewal

HYPR Passwordless authentication uses Active Directory certificates bound to trusted user devices to enable secure, phishing-resistant authentication. As these user login certificates approach expiration, renewal is required to ensure continuous authentication, maintain security posture, and comply with organizational and regulatory requirements.

HYPR Workstation Agent starts notifying the user via system tray 30 days before expiration that a pending renewal awaits and the login certificate on the mobile device can be renewed automatically.

Certificate Renewal - Workstation to Web

Flow Description

• HYPR Workstation Agent detects an upcoming current login certificate expiration.

• The agent will request a new certificate for the user.

• The New Certificate is generated and saved locally.

• The agent waits for the next Unlock request.

• During the next unlock session using the HYPR Mobile App, the new certificate is transferred to the HYPR Mobile App through the HYPR Server.

• The subsequent unlock events using the HYPR Mobile App will use the new certificate to establish the login session.

• The agent marks the certificate renewal successfully completed, runs certain bookkeeping operations and continues the authentication workflow.

Facts

• Login certificate renewal is initiated by the HYPR Workstation Agent process running on the employee's laptop, which contacts AD CS to enroll a new certificate.

• Users must be connected to the corporate network (domain/VPN) for the certificate renewal to succeed and complete.

• The user will receive warnings from the system tray when a certificate must be renewed.

  a. 30 days before expiration to alert the user - Snooze option is available

  b. 7 days before expiration to actively request the user to complete their renewal

  c. 1 day before expiration - Snooze option is not available

• The new certificate will sit on the Workstation local file system until there is an opportunity to send it to Mobile, which happens during an unlock request initiated by the Mobile App and flows through the HYPR Server.

• If the new certificate is enrolled and successfully transferred to Mobile App and comes back to Workstation, the very first time, Windows will contact Active Directory to authenticate that certificate, but after success, Windows will cache this certificate.

• Workstation - connected to corporate network (domain/VPN)

  a. After renewal, first unlock successful

  b. New certificate is used

  c. Mobile App is indicated that new certificate is all set

• Workstation - not connected to corporate network (domain/VPN)

  a. After renewal, first unlock not successful

  b. Current certificate is used

  c. Pop-up notification to the user to connect to VPN and unlock.

• Mobile App

  a. Keeps track of two certificates, current and new one.

  b. Sends both certificates during the Unlock request.

  c. Waits for acknowledgment when the new certificate is accepted.

Pre-Requisites

1. HYPR Server is in a running state

   a. Workstation To Web feature flags are enabled.

2. Mobile App has workstation registration.

3. The user workstation is connected to the domain.

Configuration

1. Enable Auto Enrollment Feature Flag

   a. MOBILE_AUTO_CERT_RENEWAL

Certificate Renewal - Web to Workstation

Flow Description

• Mobile App periodically polls HYPR Server to determine whether a new certificate is available.

• HYPR Server checks for current certificate expiration.

• HYPR Server automatically initiates certificate renewal through the HYPR Enrollment Service.

• The enrollment service requests a new certificate for the user.

• A new login certificate is generated.

• Enrollment Service encrypts the certificate and posts the encrypted one to the HYPR Server.

• The encrypted certificate is temporarily stored on the HYPR server.

• The new certificate is transferred to the Mobile App from the server during the polling process.

• Mobile App keeps new and current certificates.

• The user is required to complete the renewal process by unlocking the workstation.

• During the next unlock session using the HYPR Mobile App, the new certificate is transferred to the HYPR Mobile App through the HYPR Server.

• The subsequent unlock events using the HYPR Mobile App will use the new certificate to establish the login session.

• The workstation agent marks the certificate renewal successfully completed and the new certificate becomes the current one.

Facts

• Login certificate renewal is initiated automatically by HYPR Server. The HYPR Enrollment Service, running on a Windows server in the customer's network, calls ADCS to request certificate enrollment.

• Users must be connected to the corporate network (domain/VPN) for completing the renewal process successfully.

• When a new certificate is ready, the HYPR Mobile App will obtain it as part of its regular communication with the HYPR Server. During the next unlock, the user's mobile device will send both the current and new certificates to the workstation. The workstation will attempt to use the new certificate for authentication. If successful, the new certificate will be cached and used for future authentications. If the workstation cannot reach Active Directory (Ex - VPN is not connected), it will use the current certificate and prompt the user to connect to VPN and unlock again to complete the renewal process.

• HYPR Server which tracks the certificate expiration dates and automatically initiates renewal through the HYPR Enrollment Service when certificates are approaching expiration (30 days before expiration). Administrators can view pending certificate renewals in the HYPR Server User Management interface.

• Workstation - connected to corporate network (domain/VPN)

  a. After renewal, first unlock successful

  b. New certificate is used

  c. Mobile App is indicated that new certificate is all set

• Workstation - not connected to corporate network (domain/VPN)

  a. After renewal, first unlock not successful

  b. Current certificate is used

  c. Pop-up notification to the user to connect to VPN and unlock.

• Mobile App

  a. Keeps track of two certificates, current and new one.

  b. Sends both certificates during the Unlock request.

  c. Waits for acknowledgment when the new certificate is accepted.

Pre-Requisites

1. HYPR Server is in a running state

   a. Web to Workstation feature flags are enabled.

2. Entitlement Server is in a running state

3. Mobile App has web registration.

4. The user workstation is connected to the domain.

Configuration

1. Enable Auto Enrollment Feature Flag

   a. MOBILE_AUTO_CERT_RENEWAL

Testing the Workflow

1. HYPR CC Console can be used to create a magic link for the web application.

   a. Enter the user's email in the Username field. This is the same email address that is associated with the user profile on Active Directory.

   b. Click Create Magic Link

2. The user navigates to the Magic Link Web Link URL, which redirects the user to device manager.

3. The user selects 'Register mobile device' that makes a call to HYPR Server to initiate the web registration.

4. Wait a few minutes for the server to process the certificate

5. The user taps on the Pending Computer bubble.

6. The user scans the QR code on the Windows lock screen to complete the WFA pairing.

7. Cert Renewal

   a. Test workstation unlock for workstation registrations by making the current certificate in a state where it is close to expiration.

   b. Test workstation unlock for workstation registrations when the current certificate is in expired state.

   c. Test workstation unlock by making the workstation connected to the corporate network (domain/VPN).

   d. Test workstation unlock by making the workstation not connected to the corporate network (domain/VPN).

   e. Test workstation unlock for web registrations when the current certificate is in a state where it is close to expiration.

   f. Test workstation unlock for web registrations when the current certificate is in expired state.