Create an SSL certificate

The IBM RPA server requires a TLS/SSL certificate containing an RSA key. The certificate is used to sign the HTTPS connection between the server and the client.

You must issue the certificate to the same server and port in which you install and configure the IBM RPA platform. For that, you might use a self-signed certificate or a certificate that is signed by a Certificate Authority (CA) 🡥.

Self-signed or unsafe certificates might cause your browser to display a "Not trusted" message, and you must add the IBM RPA-related URLs to the browser's exceptions. For more information, see Browser displays connection untrusted error🡥 for Google Chrome, and What do the security warning codes mean?🡥 for Mozilla Firefox.

Important:Some browsers might return the ERR_CERT_COMMON_NAME_INVALID error because they don't match the common name in certificates. In this case, generate the self-signed certificate with a subject alternative name (SAN). For more information, see ERR_CERT_COMMON_NAME_INVALID when you browse to the IBM RPA Control Center or other related URLs.

Before you begin

  • Ensure that you meet all the hardware, system, and network requirements that are described in Prerequisites to install the server.
  • Certificates that are signed by a CA require you to have a Fully Qualified Domain Name (FQDN) registered. You can register a domain in IBM® Cloud®🡥, or in any other domain registration service.

About this task

The following procedures show how to order or generate a TLS/SSL certificate for the IBM RPA server. If your organization already owns a TLS/SSL certificate, skip this step and during the installation select your organization's certificate. Otherwise, choose one of the following methods to order or generate a certificate:

  • Ordering a CA-signed certificate
    If you plan to deploy your server into a public cloud or infrastructure, you must use a CA-signed certificate. This procedure shows how to create a Certificate Signing Request (CSR) to submit to a CA. Contact your CA of choice to submit the CSR.

  • Generate a self-signed certificate
    Recommended for testing environments and in cases where you need to set up the server while you wait for a CA-signed certificate.

Ordering a CA-signed certificate

To order a TLS/SSL certificate signed by a Certificate Authority (CA), you must own a Fully Qualified Domain Name (FQDN), and generate a Certificate Signing Request (CSR). The Certificate Authority (CA) can sign and provide you with a valid TLS/SSL certificate.

The following procedures show how you can create the CSR file to submit it to a Certificate Authority (CA) either with OpenSSL or with Internet Information Services (IIS) Manager:

  1. OpenSSL
  2. Internet Information Services (IIS) Manager

OpenSSL

  1. Download and install OpenSSL 🡥.

  2. Generate CSR for your server.

    openssl req -newkey rsa:2048 -nodes -keyout keyname.key -out request.csr -subj   "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORGANIZATION> Corporation/CN=<HOSTNAME>"
    

    Where:

    • <COUNTRY>
      Name of the country where your organization is located.
    • <STATE>
      State where your organization is located.
    • <CITY>
      City of your organization.
    • <ORGANIZATION>
      The name of your organization.
    • <HOSTNAME>
      The Fully Qualified Domain Name (FQDN) of the website to be certified.
  3. Check contents of generated CSR.

    openssl req -text -noout -verify -in request.csr
    
  4. Once the request.csr file is created, submit it to your Certificate Authority (CA).

Internet Information Services (IIS) Manager

  1. Open the Windows Start menu, search for Internet Information Services (IIS) Manager and open it.

  2. In the Connections left-side menu, select your server instance.

  3. Under the IIS category, click Server Certificates.

    IIS main screen

  4. In Actions, in the right-side menu, click Create Certificate Request….

    IIS Server Certificates screen

  5. In the Request Certificate window, complete the Distinguished Name Properties form with the following information:

    • Common Name: The fully qualified domain name to bind the certificate, for example, www.example.com.
    • Organization: The legal name of your company or organization.
    • City/locality: The city where your company is located.
    • State/province: The state where your company is located.
    • Country/region: The two-character abbreviation for your country.
  6. In the Cryptographic Service Provider Properties form, define the CSR cryptography, and click Next:

    • From the Cryptographic service provider list, select Microsoft RSA SChannel Cryptographic Provider.
    • From the Bit length list, select 2048.
  7. In the File Name form, enter a name for the CSR file, and click Finish.

  8. After it creates the CSR file, submit it to your Certificate Authority (CA).

What to do next

After you receive the TLS/SSL certificate signed by a Certificate Authority (CA), you can install it in the Windows™ Certificate Store.

Generate a self-signed certificate

Self-signed certificates are recommended for testing environments and in cases where you need to set up the server while you wait for a CA-signed certificate.

The following procedures show how you can generate a self-signed certificate either with OpenSSL or with the Internet Information Services (IIS) Manager:

  1. OpenSSL
  2. Internet Information Services (IIS) Manager

OpenSSL

  1. Download and install OpenSSL 🡥.

  2. Once installed, run the OpenSSL command prompt. Type openssl to start the application.

    OpenSSL in command prompt

  3. To generate a new RSA private key, enter the command:

    genrsa -out {path_to_pem_file} 2048
    

    {path_to_pem_file} is the absolute path where the PEM file is generated. Example: C:\Users\user\keyfile.pem.

  4. To generate a public key, enter the following command:

    rsa -pubout -in {path_private_pem} -out {path_public_pem}
    

    Where:

    {path_private_pem} is the path to the private key PEM file. Example: C:\Users\user\privatekeyfile.pem.

    {path_public_pem} is the path where the public key is generated. Example: C:\Users\user\keyfile.pem.

  5. Enter the following command:

    req -x509 -sha256 -newkey rsa:2048 -keyout keyname.key -out certificatename.  crt -days 365
    

    Where keyname.key is the generated key file and certificatename.crt is the generated certificate file.

    This command creates a 2048-bits RSA key, following the X.509 standard with an SHA256 hash valid for 365 days.

    You must add a password to protect the key file.

    OpenSSL generating a key

  6. The application then asks for specific information regarding the Certificate Authority signing the certificate:

    Generating certificate

  7. Provide the required information, and press enter to finish.

  8. Then, enter the following command:

    pkcs12 -export -in C:\path\to\certificatename.crt -inkey C:\path\to\keyname.key -out C:\path\to\newpkcs12.pfx
    

    Where C:\path\to\certificatename.crt is the path to the certificate file, C:\path\to\keyname.key is the path to the private key file, and C:\path\to\newpkcs12.pfx is the path to the PKCS#12 file that you want to create.

  9. Install the certificate in the Windows™ Certificate Store.

Internet Information Services (IIS) Manager

  1. Open the Windows Start menu, search for Internet Information Services (IIS) Manager and open it.

  2. In the Connections left-side menu, select your server instance.

  3. Under the IIS category, click Server Certificates.

    IIS main screen

  4. In Actions, in the right-side menu, click Create Self-Signed Certificate.

    IIS Server Certificates screen

  5. Enter a name for your certificate, and select the type Personal.

    Creating a self-signed certificate

  6. Click Ok to create your certificate.