How to change the Identity Server Signing Certificate?
Issue Description:
How to change the Identity Server Signing Certificate? With 20.4+ Orchestrator now relies on the Identity Server for authentication. The Identity Server uses a signing certificate and sometimes needs to be updated.
Background:
The Identity Server signing certificate is used for authentication. It is usually the same as the Orchestrator certificate, but that is not a requirement. Additionally, it can be a self-signed certificate. If there are multiple Identity Server nodes, they must all reference the same signing certificate.
More information can be found at Signing Requirements.
Updating the Identity Signing Certificate
- Find the new certificate to be used for signing, by following the below steps:
- Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
- Go to the personal node and locate the certificate
- Open the certificate and go to the 'Details' tab and get the thumbprint
- On Windows 2016 server, the thumbprint may have some special hidden characters. See the animation involving notepad++ in the following link for removing the character
- If this step is not done, the special character will show up as a '?' when executing the command that is being constructed. It can just be deleted.
- Use the thumbprint to run the Platform Configuration Tool:
- The command to run is: C:\Program Files (x86)\UiPath\Orchestrator\Tools\UiPath.Platform.Configuration.Tool\Platform.Configuration.Tool.ps1 UpdateUiPathCertificate -NewTokenSigningThumbprint -SiteName UiPathOrchestrator
- Open certlm.msc
- Under the Personal node, find the new SSL certificate
- Right click->All Tasks->Manage Private Keys
- Click Add
- Change the location to the current computer.
- Add the user 'IIS APPPOOL\Identity' and give the user Full control and Read