Product DocumentationVersion 9.1+ Documentation
HYPR User GuidePostman APILegacy WFALegacy SDK

Certificate Renewal for the HYPR Mobile App

Using HYPR Passwordless: Windows

HYPR certificate renewal extends to devices with the HYPR Mobile App (Android and iOS) installed. Mobile device registrations will start to β€˜silently’ renew a certificate 30 days prior to expiration. Seven days prior to expiration, the user will see Windows toaster popups stating the certificate must be renewed.

Yubikey registrations will display a Windows toaster popup to renew a certificate 30 days prior to expiration. There are no silent renewal attempts for Yubikeys.

How It Works

For HYPR Mobile App authentication, the HYPR Passwordless for Windows client uses certificates issued by the Active Directory (AD) Certificate Authority (CA).

To help ensure the certificate remains valid, HYPR Passwordless will attempt to automatically renew the certificate when the expiration date is approaching, which by default is 30 days in advance. If this action remains incomplete, HYPR Passwordless will actively remind the user until renewal is accomplished. This is governed by manually updating the following registry parameters found under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access:

  • Reenroll Certificate Before Expiration Days: The number of days before expiration to alert the user; defaults to 30
  • Reenroll Certificate Notify Before Expiration Days: The number of days before expiration to actively request the user to complete their renewal; defaults to 7

Upon identifying that a certificate renewal is required, the following steps occur:

  • HYPR Passwordless will request a new certificate for the user

  • During the next login/unlock session using the HYPR Mobile App, the workstation will transfer the new certificate to the HYPR Mobile App through the Control Center

  • The subsequent login/unlock events using the HYPR Mobile App will use the new certificate to establish the login session

πŸ‘

Privacy, Please

Certificate renewal requires participating users to be connected to a secure network (VPN, domain-joined, etc.) to function. Don't worry, though - HYPR will remind them if they are not securely connected.

HYPR Passwordless Client Warnings

The user will receive warnings from the system tray when a certificate must be renewed, or if conditions prevent the update.

Lock and Unlock the Computer

The following message displays upon successful certificate renewal:
"Please lock your computer and unlock it with HYPR Mobile App to complete an update."

  1. Click OK.
  2. Lock the computer, then unlock it with the HYPR Mobile App to complete re-enrollment.
  3. Users don't need to do anything else until the next time the certificate must be renewed.

HYPR Account Update Needed

The following message displays if the user is not securely connected:
"Please connect to the company intranet or VPN to renew your HYPR account. If your account expires, you will be unable to log in with your HYPR Mobile App."

  1. Click Remind Me Later to dismiss the message until later.
  2. Click OK to dismiss the message without a reminder.
  3. If you cannot update your account, you may need to contact an admin for assistance before renewing the HYPR Mobile App certificate.

Automatic Account Update Failed

The following message displays when certificate re-enrollment fails:
"There is a problem attempting to renew your HYPR account. It may result in you being unable to log in with your HYPR Mobile App. Please ensure that you're connected to the company's secure network."

  1. Click Remind Me Later to dismiss the message until later.
  2. Click Contact Support to get assistance with your HYPR account.

Environmental Considerations

Certificate Renewal with Roaming Access

Roaming access is not adversely affected by Mobile Certificate Renewal; however, the workstation that performs the certificate renewal will act as the "origin point" for certificate transfers needed to enable roaming access. Notifications may appear wherever the affected user is logged in, but renewal must be performed at the original workstation by which the certificate was introduced to HYPR.

HYPR Versioning Limits

Mobile Certificate Enrollment may not function as expected if the HYPR components involved in the process are not of a version that supports the functionality. Make sure all HYPR components (Control Center, HYPR Passwordless, and the HYPR Mobile App) are all on the latest version in your environment.

Troubleshooting

The current certificate is expired but the new certificate is not generated.
This can occur for the following reasons:

  • The user was absent for extended period of time (e.g., sabbatical)
  • The computer is used rarely (e.g., as a second computer)
  • The computer was not on corporate network for a while (required to connect to Active Directory)

Nothing can be done to automatically re-enroll in such circumstances, except to notify the user to connect to corporate network or use VPN to re-enroll a new certificate.

Updated 4 months ago