Create an SSL certificate
The IBM RPA server requires a TLS/SSL certificate containing an RSA key. The certificate is used to sign the HTTPS connection between the server and the client.
You must issue the certificate to the same server and port in which you install and configure the IBM RPA platform. For that, you might use a self-signed certificate or a certificate that is signed by a Certificate Authority (CA) 🡥.
Self-signed or unsafe certificates might cause your browser to display a "Not trusted" message, and you must add the IBM RPA-related URLs to the browser's exceptions. For more information, see Browser displays connection untrusted error🡥 for Google Chrome, and What do the security warning codes mean?🡥 for Mozilla Firefox.
ERR_CERT_COMMON_NAME_INVALID
error because they don't match the common name in certificates. In this case, generate the self-signed certificate with a subject
alternative name (SAN). For more information, see ERR_CERT_COMMON_NAME_INVALID
when you browse to the IBM RPA Control Center or other related URLs.Before you begin
- Ensure that you meet all the hardware, system, and network requirements that are described in Prerequisites to install the server.
- Certificates that are signed by a CA require you to have a Fully Qualified Domain Name (FQDN) registered. You can register a domain in IBM® Cloud®🡥, or in any other domain registration service.
About this task
The following procedures show how to order or generate a TLS/SSL certificate for the IBM RPA server. If your organization already owns a TLS/SSL certificate, skip this step and during the installation select your organization's certificate. Otherwise, choose one of the following methods to order or generate a certificate:
-
Ordering a CA-signed certificate
If you plan to deploy your server into a public cloud or infrastructure, you must use a CA-signed certificate. This procedure shows how to create a Certificate Signing Request (CSR) to submit to a CA. Contact your CA of choice to submit the CSR. -
Generate a self-signed certificate
Recommended for testing environments and in cases where you need to set up the server while you wait for a CA-signed certificate.
Ordering a CA-signed certificate
To order a TLS/SSL certificate signed by a Certificate Authority (CA), you must own a Fully Qualified Domain Name (FQDN), and generate a Certificate Signing Request (CSR). The Certificate Authority (CA) can sign and provide you with a valid TLS/SSL certificate.
The following procedures show how you can create the CSR file to submit it to a Certificate Authority (CA) either with OpenSSL or with Internet Information Services (IIS) Manager:
OpenSSL
-
Download and install OpenSSL 🡥.
-
Generate CSR for your server.
openssl req -newkey rsa:2048 -nodes -keyout keyname.key -out request.csr -subj "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORGANIZATION> Corporation/CN=<HOSTNAME>"
Where:
<COUNTRY>
Name of the country where your organization is located.<STATE>
State where your organization is located.<CITY>
City of your organization.<ORGANIZATION>
The name of your organization.<HOSTNAME>
The Fully Qualified Domain Name (FQDN) of the website to be certified.
-
Check contents of generated CSR.
openssl req -text -noout -verify -in request.csr
-
Once the
request.csr
file is created, submit it to your Certificate Authority (CA).
Internet Information Services (IIS) Manager
-
Open the Windows Start menu, search for Internet Information Services (IIS) Manager and open it.
-
In the Connections left-side menu, select your server instance.
-
Under the IIS category, click Server Certificates.
-
In Actions, in the right-side menu, click Create Certificate Request….
-
In the Request Certificate window, complete the Distinguished Name Properties form with the following information:
- Common Name: The fully qualified domain name to bind the certificate, for example,
www.example.com
. - Organization: The legal name of your company or organization.
- City/locality: The city where your company is located.
- State/province: The state where your company is located.
- Country/region: The two-character abbreviation for your country.
- Common Name: The fully qualified domain name to bind the certificate, for example,
-
In the Cryptographic Service Provider Properties form, define the CSR cryptography, and click Next:
- From the Cryptographic service provider list, select
Microsoft RSA SChannel Cryptographic Provider
. - From the Bit length list, select
2048
.
- From the Cryptographic service provider list, select
-
In the File Name form, enter a name for the CSR file, and click Finish.
-
After it creates the CSR file, submit it to your Certificate Authority (CA).
What to do next
After you receive the TLS/SSL certificate signed by a Certificate Authority (CA), you can install it in the Windows™ Certificate Store.
Generate a self-signed certificate
Self-signed certificates are recommended for testing environments and in cases where you need to set up the server while you wait for a CA-signed certificate.
The following procedures show how you can generate a self-signed certificate either with OpenSSL or with the Internet Information Services (IIS) Manager:
OpenSSL
-
Download and install OpenSSL 🡥.
-
Once installed, run the OpenSSL command prompt. Type
openssl
to start the application. -
To generate a new RSA private key, enter the command:
genrsa -out {path_to_pem_file} 2048
{path_to_pem_file}
is the absolute path where the PEM file is generated. Example:C:\Users\user\keyfile.pem
. -
To generate a public key, enter the following command:
rsa -pubout -in {path_private_pem} -out {path_public_pem}
Where:
{path_private_pem}
is the path to the private key PEM file. Example:C:\Users\user\privatekeyfile.pem
.{path_public_pem}
is the path where the public key is generated. Example:C:\Users\user\keyfile.pem
. -
Enter the following command:
req -x509 -sha256 -newkey rsa:2048 -keyout keyname.key -out certificatename. crt -days 365
Where
keyname.key
is the generated key file andcertificatename.crt
is the generated certificate file.This command creates a 2048-bits RSA key, following the X.509 standard with an SHA256 hash valid for 365 days.
You must add a password to protect the key file.
-
The application then asks for specific information regarding the Certificate Authority signing the certificate:
-
Provide the required information, and press enter to finish.
-
Then, enter the following command:
pkcs12 -export -in C:\path\to\certificatename.crt -inkey C:\path\to\keyname.key -out C:\path\to\newpkcs12.pfx
Where
C:\path\to\certificatename.crt
is the path to the certificate file,C:\path\to\keyname.key
is the path to the private key file, andC:\path\to\newpkcs12.pfx
is the path to the PKCS#12 file that you want to create.
Internet Information Services (IIS) Manager
-
Open the Windows Start menu, search for Internet Information Services (IIS) Manager and open it.
-
In the Connections left-side menu, select your server instance.
-
Under the IIS category, click Server Certificates.
-
In Actions, in the right-side menu, click Create Self-Signed Certificate.
-
Enter a name for your certificate, and select the type Personal.
-
Click Ok to create your certificate.