The Two Types of Certificates

It is important to understand that PowerSyncPro utilizes two entirely distinct types of certificates. They serve two different security purposes and are managed in completely different ways:

• Internal Communication Certificates (Console): An internal, application-level certificate used exclusively to sign and encrypt the actual payload data transmitted between the PowerSyncPro Service and the Remote Agents after registration.
• SSL Web Certificates: Your standard web certificate (such as a 3rd-party Let's Encrypt cert or internal PKI) that secures the underlying network transport layer (HTTPS/HTTP2) and must be trusted by the Windows OS of the server hosting the agents.

1. Internal Console Certificates (Sync & Migration Agents)

These application-level certificates are managed entirely within the PowerSyncPro graphical user interface (GUI).

• Validity Period: By default, these certificates are configured to be valid for 12 months, though you can adjust this value during creation to meet your specific business requirements.
• Renewal: Because they are managed in the console, you can easily renew them straight from the GUI. Simply navigate to Remote Agents > Certificates, click + Create Certificate, specify your agent type (Sync or Migration), and save the new active certificate.

2a. SSL Web Certificates (IIS & Kestrel)

Unlike the internal console certificates, your SSL Web Certificates are configured at the server OS level. If you manually update or replace your SSL certificate, it must be applied in two specific places:

• The Reverse Proxy (IIS): If you are utilizing IIS to proxy traffic on port 443, the new SSL certificate must be updated in your standard IIS Manager bindings.
• The Kestrel Backend (Port 5001): PowerSyncPro's core gRPC service runs on a Kestrel backend, which defaults to TCP Port 5001. To update this, you must edit the appsettings.json file (typically located in the C:\Program Files\PowerSyncPro installation directory) to match the Subject name of the new certificate, and then restart the PowerSyncPro Service.

2b. Automated Renewals & Certificate Scripts

If your PowerSyncPro server was deployed utilizing the PowerSyncPro Automated Installation Script or the Azure Marketplace Image , SSL certificate management and renewals are heavily streamlined through built-in scripts installed during the installation process:

• Provided Certificates (BYOC / PFX): If you supplied your own .pfx certificate during deployment, you can quickly renew and apply updates by executing the dedicated local script located at: C:\Scripts\Cert-Renewer.ps1. This script automatically imports the new certificate, sets the required permissions, updates the IIS bindings, modifies your appsettings.json, and restarts the service.
• Let's Encrypt (Automated): If you opted to use Let's Encrypt during the initial setup, a Scheduled Task was automatically installed alongside the certificate. This task actively runs every 7 days to check the expiration status. If it detects the certificate is nearing expiration, it automatically executes C:\Scripts\Cert-Puller_PoshACME.ps1 to fire off a renewal request, fetch the new certificate, and seamlessly install it for you.