Certificate migration and coexistence in QZ Tray

10 views
Skip to first unread message

mateo.c...@byroncode.com

unread,
Jul 9, 2025, 9:53:24 AMJul 9
to Qz print

Hello QZ Tray team,

I'm reaching out to request your assistance with a certificate migration process. We need to operate with both the current and the new certificate simultaneously, until the migration is complete across all of our clients.

Current scenario:

  • Old certificate: currently configured and working in production. It will expire on the 30th of this month.

  • New certificate: generated and loaded via the Site Manager.

  • Behavior observed: when we load the new certificate through the Site Manager, it overwrites the override.crt file, which previously contained the old certificate. Once the application is restarted:

    • Only the new certificate works.

    • The old certificate stops working, and browser modals appear prompting the user to accept the new certificate again.

Our requirement:

  • Keep both certificates active during the transition, without service interruption.

  • Continue signing messages with the old certificate while we deploy and validate the new credentials (private key in the backend and certificate in the frontend).

Specific questions:

  1. Is it possible to configure QZ Tray to accept two certificates simultaneously (a "dual-cert" mode or similar)?

  2. Does QZ Tray support coexistence of both certificates in production without overwriting the previous one?

  3. Are there any best practices for handling this type of migration without manually replacing files in the QZ Tray application directory?

  4. If this feature is not currently supported, is there any workaround or configuration you recommend to avoid downtime during the transition?

We’d greatly appreciate any guidance or suggestions to ensure a smooth and interruption-free migration. Please let us know if you need additional logs or technical details.

Best regards,

Mateo

Tres Finocchiaro

unread,
Jul 9, 2025, 12:10:27 PMJul 9
to mateo.c...@byroncode.com, Qz print
Mateo,

Premium Support Path:

As long as "Strict certificate mode" is NOT enabled (your screenshots suggests that it's not), you should be able to obtain a "trusted certificate" from QZ Tray's Premium Support package and replace it on your back-end with minimal interruption (initial dialog will show, with an option to "Remember this decision").

Self-Signed Path:

With regards to multiple, simultaneous "self-signed" certificates, we support this through the qz-tray.properties property "authcert.override".

authcert.override=/path/to/override1.crt;/path/to/override2.crt

Note at time of writing this, we now offer "self-signed" certificate support via our Company Branded tier for easier transitioning, but this would require a reinstall of QZ Tray prior to expiration period.

If you choose to go the Premium Support or Company Branded path, please remove qz-print mailing list from copy.

Best of regards,

-Tres

Reply all
Reply to author
Forward
0 new messages