VMware Tunnel supports rotating your public SSL certificates with zero downtime for end users. Rotating your public SSL certificate and the profile grace period ensures that your end users do not experience a service interruption.

To rotate your public SSL certificates, you must upload a new certificate to the Workspace ONE UEM console. Adding a new certificate enables you to prepare new VPN profiles configured for VMware Tunnel before rotating the certificate on the server.

To prepare the end-user devices for rotation, you must add a new version of the VPN profiles configured for VMware Tunnel. The new profile version contains the new public SSL certificate. Before rotating the server certificate, you must push the new profile version to devices.

When the certificate is close to expiring or is compromised, the UEM console notifies the user and you can activate the new public SSL certificate to trigger the rotation and maintain the service. After you activate the certificate, VMware Tunnel server requires clients to have the new certificate to authenticate.