Access rights to the private key of the SSL certificate for platform configuration tool


I’m trying to perform prechecks for UiPath upgradation from 2020.10 to 2022.10. I ran platform configuration tool from my orchestrator server and all checks are passed except SSL certification verification.

During my certificate verification, tool has given a warning saying “Could not determine access rights for the private key of the signing certificate.”

How to resolve this to verify certificate before proceeding for upgrade.

An internal server error may occur if the certificate does not have the appropriate permissions set. Run the following as Admin to grant the necessary permissions:

import-module WebAdministration
$siteName = 'UiPath Orchestrator'
$binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl('Access')
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
Set-Acl -Path $keyFullPath -AclObject $acl

Reference: Using a Certificate for the HTTPS Protocol

Hi, thanks a lot.

In test orchestrator server, I’m facing a different error. Could you please help me to find the solution for below.

We do have a valid certificate installed and test orchestrator (version 2020.10) is up & running.

But when I tried to run platform-configuration-tool, it is giving below error from Test Orchestrator server.

Try the solution from here ⚙ Platform Configuration Tool

The following example enables you to update the Orchestrator SSL and the Identity Server token-signing certificates.

.\Platform.Configuration.Tool.ps1 `
  -UpdateUiPathCertificate `
  -KeepOldCertificate $false
  -SiteName "UiPath Orchestrator" `
  -NewSSLThumbprint "a1b2c3d4" `
  -NewTokenSigningThumbprint "z6y5x4v3"

Make sure the certificates have the appropriate permissions set to prevent an internal server error. Refer to Troubleshooting Certificates for more details.

If the private key has not been added to the certificate, you can add it manually by taking the following steps:

  1. To locate the private key, start Internet Information Service (IIS) Manager, and select Application Pool. You should find the private key for each service under the Identity column.
  2. Go to Manage Computer Certificates under Control Panel.
  3. Go to Personal/Certificates.
  4. Right-click New certificate, then go to All Tasks > Manage PrivateKey to add the private key.

If the above didn’t help, before raising a ticket with the Support team, check the below:

  1. Review and complete the pre-requisites mentioned in the below link
    ⚙ Platform Configuration Tool

  2. Make a backup copy of the Identity/appsetting.Production.json file and then
    check the thumbprint in the Orchestrator\Identity\appsetting.Production.json file
    and make sure it matches the thumbprint for the current certificate being used.
    If it does not match, please update it.
    If it does look to match, please check and make sure there are no hidden characters
    at the beginning of the string or spaces in the string.

To check for hidden characters, please follow the below steps:
In Notepad++, go to the Encoding tab and select ‘Encode in ANSI’. (This highlights the hidden characters)
If a hidden character exists, remove it and repaste it in the Identity\appsettings.Production.json file

Perform iisreset via admin command prompt after removing the hidden character.

  1. Please also make sure that the certificate being used for Orchestrator and Identity is in the Personal Folder of the Local machine.
    You can do this by Opening Manage Computer Certificates → Personal → Certificates. If this is a Self Signed Certificate, please also make sure to add the certificate to the Trusted Root folder.
    You can open the certificate in both of these locations by double-clicking on the certificate and validating that the thumbprint located in the details matches what is in Identity/appsetting.Production.json.

If the above does not fix the issue, please share the below:

  1. Complete output of the readiness check execution as shown in the below link after performing the above steps
    ⚙ Platform Configuration Tool

  2. A screenshot of the command that you are executing in Powershell.

  3. In Manage Computer Certificates, right-click on the certificate in the Personal folder. Click All Tasks → Manage Private Keys. Please share a screenshot of this page

  4. Please also share the Identity/appsettings.Production.json file.