Manually Updating SSL and Token Signing Certificate for UiPath Standalone Orchestrator hosted in IIS.

How certificates are used by Orchestrator

Orchestrator and Identity Server (the identity provider application hosted on the same IIS server) use certificates in 2 ways:

• SSL handshake
• Token Signing

These can be 2 separate certificates, but for convenience we will use a single certificate with a private key in order to be able to fulfill both requirements.


How to update the Certificate when it expires or when changing URLs and binding:

There are 2 methods to change the certificate:

A. Using the Update-UiPathCertificate command via the Platform Configuration Tool. This is both easier and less error prone - https://docs.uipath.com/orchestrator/standalone/2022.10/installation-guide/platform-configuration-tool

B. Manually updating IIS and Configuration Files by following the instructions below

Prerequisites
( Refer Platform Configuration Tool - Certificate Requirements . )

1. Import the Client Certificate to the Windows Personal Machine Store

1. Double click the .pfx to open the Certificate Import Wizard
2. Select the Store Location Local Machine

3. Press Next
4. Press Next on the File Import window
5. Type the Password for the Private Key
6. Press Next
7. Select Place all certificates in the following store
8. Press Browse and select Personal for certs signed by a CA (Note: For self-signed certificates it is required to import in the Trusted Root Certification Authorities)

9. Press Ok
10. Press Next
11. Press Finish

2. Copy the certificate thumbprint in a Notepad file

1. Open Certificate Manager for the Local Machine (Win+R > certlm.msc)
2. Browse for the certificate under Certificates - Local Computer > Personal > Certificates and double-click the certificate imported above
3. Click the Details tab
4. Scroll to Thumbprint

5. Copy the value in a Notepad file (Note: some Windows releases have a bug in this interface and the copied value contains a hidden character at the beginning of the string. Save the file as .txt and reopen it to not copy it by accident. It will look like a ?)

3. Determine the Application pool user for Identity application

1. Open IIS Manager (Win+R > inetmgr.exe)
2. Navigate to Application Pools
3. Write down the Identity of the application pool called Identity

4. Grant the Application Pool Identity rights to the private key

1. Open Certificate Manager for the Local Machine (Win+R > certlm.msc)
2. Right-Click the same certificate which was imported on step 1
3. All Tasks > Manage Private Keys

4. Press Add
5. Add the user
6. Note: For Application Pool Identity or local users, select the Location as the Machine. For Application Pool Identity select the local group IIS_IUSRS to grant the rights to all pools, it may be useful when installing more services which need certificate access for the same identity.
7. Press OK

5. Update the Identity Configuration file

1. Open IIS Manager (Win+R > inetmgr.exe)
2. Browse for the Identity site under SERVERNAME > Sites > UiPath Orchestrator > Identity
3. Right-Click Identity > Explore

4. Run a Notepad with Administrator Rights
5. Open the file called appsettings.Production.json from the location open by point 5.c called
6. Update the SigningCredentialSettings section and make sure the Location is set to LocalMachine and NameType is Thumbprint. Replace the THUMPRINTVALUE with the value from 2 .iv

            "SigningCredentialSettings": {
                "StoreLocation": {
                "Name": "THUMPRINTVALUE",
                "Location": "LocalMachine",
                "NameType": "Thumbprint"
                }
            }

7. Save and Close the file

6. Update Binding

1. Open IIS Manager (Win+R > inetmgr.exe)
2. Browse for the Orchestrator site under SERVERNAME > Sites > UiPath Orchestrator
3. Select Bindings

4. Select the https binding or press Add if none exists
5. Select All Unassigned under IP address and Port 443
6. Select the name of the certificate imported in step 1 (if more than one have the same CN, press the View and check the Thumbprint like in point 2.c)

7. Press Ok

7. Stop / Start the UiPath Orchestrator site to apply the configuration changes

1. Open IIS Manager (Win+R > inetmgr.exe)
2. Browse for the Orchestrator site under SERVERNAME > Sites > UiPath Orchestrator
3. From the Manage section on the right click Stop
4. Click Start

5. Open a supported browser and browse for the Orchestrator URL to make sure the site starts.

I will try that, and will let you know