Workato OPA — Certificate Renewal (Linux)

Step 1 — Create a new agent in Workato

In the Workato UI, add a new on-prem agent to the same on-prem group as the existing agent. You don't need to download a new installer. Save the Activation Code shown during setup — you'll need it later.

⚠️ : Unimarket will perform this task unless you have setup a Workspace Collaborator with access to your Workato Test and Prod environments by the Unimarket team. 

Step 2 — Stop the agent service

sudo systemctl stop workato-agent

Confirm the service name with systemctl list-units | grep workato if you're unsure.

Step 3 — Switch to the workato user

sudo su - workato

If your system uses a different method:

sudo -i -u workato

⚠️ Important: All commands in Steps 4 and 5 that interact with the workato-agent directory must be run as the workato user. The directory and its contents are owned by this user, and running these commands as any other user will result in permission errors.

Step 4 — Navigate to the conf directory and remove the expired certs

cd /opt/workato-agent/conf

Adjust the path if your install location differs — common alternatives are /usr/local/workato-agent or /home/workato/workato-agent.

rm cert.pem cert.key

Step 5 — Navigate to the bin directory and run the activation script

cd /opt/workato-agent/bin

./activate --code=YOUR_ACTIVATION_CODE

Replace YOUR_ACTIVATION_CODE with the code saved in Step 1. This will generate new cert.key and cert.pem files in the conf folder.

If you're behind a proxy, run ./activate --help first to see the additional proxy parameters required.

⚠️ : Unimarket will provide the new cert activation script from Workato unless you have setup a Workspace Collaborator with access to your Workato Test and Prod environments by the Unimarket team. 

Step 6 — Restart the agent service

# Exit back to your admin user first
exit

# Restart the service
sudo systemctl restart workato-agent

Step 7 — Verify in Workato

1. Go back to the Workato UI and click Test on the new agent.
2. Confirm the agent shows as Active, then click Done.

3. Optionally, go to the old agent's Version column → ... → Delete agent to clean it up.

   ⚠️ : Unimarket will perform this task unless you have setup a Workspace Collaborator with access to your Workato Test and Prod environments by the Unimarket team. 

A few things to double-check on your specific install:

• Confirm your actual install path with find /opt /usr/local /home -name "activate" 2>/dev/null if you're unsure.
• The new cert is valid for 1 year from the generation date.
• Unimarket has a OPA Cert monitoring job in Workato that will trigger a support ticket to alert the customers and Unimarket support 30 and 15 days prior to the certificate needing to be renewed.