How To Verify ARM Agent Certificate Expiration Date and Renewed Date

Step 1. Identify the password for the certificate file

The actual expiration date and renewed date is written in ARM Agent certificate (mule-agent.jks) file.
Identify the password for your ARM Agent certificate (mule-agent.jks) from "{MULE_HOME}/conf/mule-agent.yml" located under the field "keyStorePassword". In the example below, the password is "70a3b804-xxx-xxx-xxx-xxx".

Example)

$ cat mule-agent.yml
---
transports:
  rest.agent.transport:
    enabled: false
  websocket.transport:
    enabled: true
    consoleUri: wss://runtime-manager.anypoint.mulesoft.com:443/mule
    handshake:
      enabled: true
      body:
globalConfiguration:
  security:
    keyStorePassword: "70a3b804-xxx-xxx-xxx-xxx"
    keyStoreAlias: agent
    keyStoreAliasPassword: "70a3b804-xxx-xxx-xxx-xxx"
  authenticationProxy:
    endpoint: https://data-authenticator.anypoint.mulesoft.com
  metricIngestion:
    endpoint: null

--------------------
Note)

Under the {MULE_HOME}/conf directory, you may see a backup file such as "mule-agent.jks.yyyy-mm-dd_hh-mi-ss".

In the example below, "mule-agent.jks.2025-07-09_12-03-22" is the auto-generated backup of the previous certificate before the renewal.

If no backup file exists, the renewal process has not been executed. It is not an issue if your Agent certificate is fresh enough.

Example)

$ ls -l mule-agent.jks*
-rw------- 1 ytaokaonm ytaokaonm 2317 Mar 17 12:59 mule-agent.jks
-rw------- 1 ytaokaonm ytaokaonm 2315 Jul  9  2025 mule-agent.jks.2025-07-09_12-03-22

--------------------

Step 2. Verify the expiration date and renewed date

Open the mule-agent.jks file using the password and verify the expiration date and renewed date. You can use tools such as "keytool" or "KeyStore Explorer". Check the "Valid from" and "until" values in the output. 

In this example, it is "Valid from: Tue Mar 17 12:59:33 AEDT 2026 until: Fri Mar 17 12:59:33 AEDT 2028". This indicates:

• The certificate was renewed(or newly created) at "Valid from: Tue Mar 17 12:59:33 AEDT 2026"
  
• Expiration Date is "until: Fri Mar 17 12:59:33 AEDT 2028"

Example)

$ keytool -list -v -keystore ./mule-agent.jks -storepass "70a3b804-xxx-xxx-xxx-xxx"
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: agent
Creation date: Mar 17, 2026
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=56409767, OU=169290, O=Hybrid, C=US
Issuer: CN=Mulesoft, OU=Mulesoft, O=Mulesoft, L=San Francisco, ST=CA, C=US
Serial number: 19cf985132c
Valid from: Tue Mar 17 12:59:33 AEDT 2026 until: Fri Mar 17 12:59:33 AEDT 2028
Certificate fingerprints:
	 SHA1: C6:63:43:E2:91:DC:CF:6D:AC:AC:C6:E5:47:1C:C4:67:3C:EE:4A:58
	 SHA256: 2C:EB:BF:78:B3:B9:C3:02:80:C9:AA:6D:08:45:0C:88:5E:71:CB:90:2F:6C:82:A3:37:9F:A9:7F:50:B5:B0:ED
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: rootOrg=1ccaf589-c817-496d-a289-03775f32b71a
  DNSName: org=1ccaf589-c817-496d-a289-03775f32b71a
  DNSName: env=62ac4caf-fcbe-437f-b1a2-76cb5f00daa8
]
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ./mule-agent.jks -destkeystore ./mule-agent.jks -deststoretype pkcs12".

Step 3. Ensure your Mule Runtime is using the renewed certificate

After confirming the renewed (or created) date, verify that the Mule Runtime instance was restarted subsequent to that renewed date. 
This step is required to load the renewed certificate from the file into the Mule Runtime's memory.