Hear from Salesforce leaders on how to create and deploy Agentforce agents.
Register now
Contact Us 1-800-596-4880
  1. Homepage
  2. Flex Gateway
  3. Upgrading and Maintaining Flex Gateway

  4. Renew Flex Gateway Registration

Renew Self-Managed Flex Gateway Registration

Anypoint Flex Gateway uses a managed PKI certificate to communicate with Anypoint Platform. This certificate is generated when you register Flex Gateway in either Connected Mode or Local Mode. Updating the certificate ensures the continued operation of your applications.

You update a certificate by renewing registration via the flexctl registration renew command.

  • The renew command renews an existing Flex Gateway registration with Runtime Manager.

  • For authentication, you run the renew command with either user credentials or with connected app credentials. Authentication with user credentials requires the --username and --password flags. Authentication with connected app credentials requires the --client-id and --client-secret flags.

You verify the renewal process via the flexctl registration inspect command.

  • The inspect command extracts registration information you can use to verify whether the renew command was successful.

  • You can also use the inspect command to first determine if renewing registration is actually required. The inspect command returns the certificate expiration date.

  • You can verify (inspect) renewal by using the default method, or you can specify your existing registration file. If you run the inspect command without flags, the command inspects registration status by using the default method.

To avoid disruptions:

  1. Download the latest version of Flex Gateway.

  2. Renew your Flex Gateway registration.

    Choose one of two methods:

  3. Verify the success of the renewal process.

    Choose one of two methods:

Before You Begin

To invoke the registration renewal flexctl command, download the latest version of Flex Gateway. You don’t need to register and run this version of the gateway.

Renew Registration with Anypoint Platform User Credentials

  1. Create a new directory called flex-renew-registration (or similar). You run the renew command in this new directory. The command creates a new registration file.

    Registration renewal fails if the renew command is run in a directory containing an existing registration file.

  2. Use the following command:

    flexctl registration renew --username=<your-username> --password=<your-password> \
 <path-to-registration-file>
    ssh

    Replace <your-username> and <your-password> with Anypoint Platform user credentials.

    Replace <path-to-registration-file> with the path and filename of the existing registration.yaml file.

    Use sudo if you encounter file permission issues when running this command.

    Disable MFA for your Anypoint Platform account prior to running the renew command with user credentials.

  3. Run the command.

    The output should include the message:

    Registration renewal completed
    text

  4. Copy the newly created registration file to the runtime registration file location. For example:

    /usr/local/share/mulesoft/flex-gateway/conf.d/registration.yaml

  5. Restart the Flex Gateway replica if one is already running.

Renew Registration with Connected App Credentials

  1. If you don’t have a username or password for Anypoint Platform, you can configure a connected app via Anypoint Access Management.

    1. Include the following scopes:

      • Read Servers

      • Manage Servers

      • View Organization

    2. Save the Id and Secret of the connected app you configure, then use these credentials in the renew command.

  2. Create a new directory called flex-renew-registration (or similar). You run the renew command in this new directory. The command creates a new registration file.

    Registration renewal fails if the renew command is run in a directory containing an existing registration file.

  3. Use the following command:

    flexctl registration renew --client-id=<your-client-id> --client-secret=<your-client-secret> \
 <path-to-registration-file>
    ssh

    Replace <your-client-id> and <your-client-secret> with the connected app credentials.

    Replace <path-to-registration-file> with the path and filename of the existing registration.yaml file.

    Use sudo if you encounter file permission issues when running this command.

  4. Run the command.

    The output should include the message:

    Registration renewal completed
    text

  5. Copy the newly created registration file to the runtime registration file location. For example:

    /usr/local/share/mulesoft/flex-gateway/conf.d/registration.yaml

  6. Restart the Flex Gateway replica if one is already running.

Verify Registration Status with the Default Method

To inspect a registration, run the following command:

flexctl registration inspect
ssh

Use sudo if you encounter file permission issues when running this command.

The output should include the date of certificate expiration. For example:

{“expiration_date”: “2025-09-25 19:27:32 +0000 UTC”}
text

Verify Registration Status with a Registration File

You can inspect a registration by extracting the information from your registration.yaml file. Specify the path and filename.

To inspect a registration, run the following command:

flexctl registration inspect --file=<path-to-registration-file>
ssh

Use sudo if you encounter file permission issues when running this command.

The output should include the date of certificate expiration:

{“expiration_date”: “2025-09-25 19:27:32 +0000 UTC”}
text

As an example, if your current directory contains the registration file, run the following command:

docker run --entrypoint flexctl \
-v "$(pwd)":/registration \
-u $UID mulesoft/flex-gateway \
registration inspect --file=/registration/registration.yaml
ssh

Renew Registration for Flex Gateway Running in Kubernetes

The following example describes a scenario where Flex Gateway is installed in a gateway namespace with an ingress release name, and where registration is stored in the Kubernetes database.

  1. Recover the registration.yaml file with the following kubectl command:

    kubectl -n gateway get secret "$(kubectl -n gateway get deployment ingress -o=jsonpath='{.spec.template.spec.volumes[?(@.name=="registration")].secret.secretName}')" -o=jsonpath='{.data.registration\.yaml}' | base64 --decode > registration.yaml
    ssh

    The command stores the registration file in ./registration.yaml.

  2. Run the flexctl registration renew command, as described for Docker in previous sections:

  3. Upgrade Flex Gateway with the following helm command:

    helm get values -n gateway ingress > values.yaml \
&& helm upgrade -n gateway ingress flex-gateway/flex-gateway --wait -f values.yaml --set-file registration.content=new/registration.yaml
    ssh

Get Help with the Renewal and Verification Commands

You can run the following help commands for information about usage:

  • Renewal

    flexctl registration renew --help
    ssh

    Use sudo if you encounter file permission issues when running this command.

  • Verification

    flexctl registration inspect --help
    ssh

    Use sudo if you encounter file permission issues when running this command.

Renew an Expired Registration

Attempting to run Flex Gateway with an expired certificate in Connected Mode results in the following:

  • New replicas fail to download API configurations from Anypoint Platform, thereby becoming unusable. Existing clusters fail to reload.

  • Logs and metrics fail to upload to Anypoint Platform. Troubleshooting using Anypoint Platform is not possible.

  • Metering information fails to upload to Anypoint Platform. MuleSoft is unable to collect or report usage metrics.

Attempting to run Flex Gateway with an expired certificate in Local Mode results in the following:

  • Metering information fails to upload to Anypoint Platform. MuleSoft is unable to collect or report usage metrics.

If a certificate expires, you can still invoke flexctl registration renew, which updates the expired certificate.

See Also