Hi Franko.

I cannot provide a solution, but we have the same problem on SOME of our devices. The certificates are renewed exactly every month.

Since the devices are still working fine, we didn't really care.

But maybe reach out to your Technical Account Manager. We were provided with an updated Stored Procedure for our DB because there was another issue concerning certificates, which is fixed in v15.6, but not in 15.5.2.

Hi Franko,

have you changed your settings for the auto-renewal? In Global Settings > Services > Certificate Authority you can specify the amount of days before the certificate turns invalid within the template. Maybe there was an unoticed changed with the update.

If this is only happening to some devices I would recommend to verify if device date&time are always correct. 

As promised, the possible explanation for the certificate renewal after 30 days. Please be aware, this is my own theory and not confirmed by SOTI. It is based on own investigation.

- At any point between MC v14 and v15 SOTI has changed some DB tables concerning the link between devices and their certificates
Before this change another table was used as is used now (let's name them table_old and table_new).

- In v14 every time a certificate is issued to the device, the certificate and the corresponding device are stored in table_old.
- In v15 every time a certificate is issued to the device, the certificate and the corresponding device are stored in table_new.

In v15, both tables (old and new) are coexisting. New issued certificates are now stored in the table_new.

At night there is a maintenance job who checks for unused or expired certificates, sums them up and deletes them from the database.

And this is were the problem potentially has its origin:
You can see in the DB there's a Stored Procedure, which checks for these certificates.

Simplified, the SP checks for these certificates:

Older than 30 days
AND (NOT IN table_old OR NOT IN table_new)

The problem with this is: Certificates issued under v15 are NEVER in table_old and therefore are always deleted after 30 days from the DB.

After this nightly maintenance job, the device checks in. 
The device still has its certificate (which is no more present in SOTI DB).
This seems to cause a renewal from the backend, because there is a mismatch between device state and DB state.
(What exactly happens, I don't know)

This explains, why the devices have a new certificate after exactly 30 days.
And let me guess: Look at the old certificate on the SECURITY tab of the device: The old certificate has the flag "RENEW = no"?

So, to sum this up, there is a logical mistake in one of the Stored Procedures in the DB. 
We were provided with a new SP because we had a support case open for another problem. The new SP now has another logic and doesn't refer to the table_old anymore.

The problem is solved in v15.6.1. If you can't upgrade, ask your TAM or SOTI support for help.

Hi Franko,

Thank you for contacting SOTI Pulse. 

Did the information provided by Simon resolve your issue?

If so, please mark this post as 'solutioned'.

If you have not yet had time to complete the upgrade or have any other queries relating to this issue, please let us know and we will be more than happy to look into issue.

Regards, 
Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

See you in Munich.