Certificate Renewal for Security Keys
HYPR Passwordless: Advanced Configuration: Windows
For security key authentication, the HYPR Passwordless client application for Windows uses certificates issued by the Active Directory (AD) Certificate Authority (CA). To help ensure the certificate remains valid, WFA will display a warning over the pairing icon, and the application will also display a tray notification prompting the user to renew when the expiration date is within 30 days.
In both cases, clicking Renew Key will trigger a manual renewal of the expired certificate.


As the expiration date approaches the Snooze button will not appear, and the notification will not automatically dismiss itself if the user waits, forcing them to acknowledge it and go through the renewal process.

When the user clicks Renew Key, the HYPR Passwordless client checks to make sure the security key is plugged onto the workstation then prompts the user to enter their PIN.


If the PIN is valid, the HYPR Passwordless client automatically communicates with the CA to obtain a new certificate and place it on the device.

How It Works
For HYPR Mobile App authentication, the HYPR Passwordless for Windows client uses certificates issued by the Active Directory (AD) Certificate Authority (CA).
To help ensure security key certificates remain valid, WFA will start notifying the user to plug in their key and renew the key's certificate when the expiration date is approaching. If this action remains incomplete, WFA will actively remind the user until renewal is accomplished. This is governed by manually updating the following registry parameters found under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access
:
Reenroll Certificate Before Expiration Days
:- The number of days before expiration to alert the user
- Snooze option available
- Defaults to 30
Reenroll Certificate Notify Before Expiration Days
:- The number of days before expiration to actively request the user to complete their renewal
- Snooze option available
- A red warning label of Renew Key will appear in WFA over the key's icon in the pairing roster
- Defaults to 7
- At 1 day prior to expiration, the Snooze button will no longer be an option; this is not configurable
Privacy, Please
Certificate renewal requires participating users to be connected to a secure network (VPN, domain-joined, etc.) to function. Don't worry, though - HYPR will remind them if they are not securely connected.
Updated 15 days ago