# On-prem agent key management

  1. Workato on-prem agent requires two files to connect to Workato cloud through a gateway:
  • cert.key
  • cert.pem
  1. Download these files when you add a new agent, or from the context menu for an existing agent.

  2. Place the files in the Workato agent conf directory.

The certificates remain valid for 5 years after generation date.

# Renewing agent keys

When your agent keys expire, or are about to expire, follow these instructions to get a new keys:

Certificate support

Workato does not support re-generated certificates. You must create new certificates, and use them to replace the old certificates.


Create a new on-prem agent in the same on-prem group as the original agent.


Complete the steps in the Setup Now wizard for this new on-prem agent.


Download the new key/certificate pair (cert.zip) only.

You don't have to download the new agent installer, unless you also plan to upgrade your agent.


In your existing on-prem agent installation's conf folder, replace the existing cert.pem and cert.key files with the new files.


Run the agent.


Complete the setup wizard by clicking Test.


Ensure your new agent appears as Active.

The existing on-prem agent installation becomes the new agent.

The old on-prem agent record on the on-prem group page is no longer necessary. You can remove it.

Last updated: 3/29/2023, 2:00:59 PM