How to change the Identity Server Signing Certificate?
Issue Description : How to change the Identity Server Signing Certificate? With 20.4+ Orchestrator now relies on the Identity Server for authentication. The Identity Server uses a signing certificate and sometimes needs to be updated.
Background : The Identity Server signing certificate is used for authentication. It is usually the same as the Orchestrator certificate, but that is not a requirement. Additionally it can be a self-signed certificate. If there are multiple Identity Server nodes, they must all reference the same signing certificate.
More information can be found at Signing Requirements .
Updating the Identity Signing Certificate
- Find the new certificate to be used for signing, by following below steps:
- Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
Go to the personal node and locate the certificate
Open the certificate and go to the 'Details' tab and get the thumbprint
On Windows 2016 server, the thumbprint may have some special hidden characters. See the animation involving notepad++ in the following link for removing the character
- If this step is not done, the special character will show up as a '?' when executing the command that is being constructed. It can just be deleted.
- Use the thumbprint to run the Platform Configuration Tool :
- The command to run is: C:\Program Files (x86)\UiPath\Orchestrator\Tools\UiPath.Platform.Configuration.Tool\Platform.Configuration.Tool.ps1 UpdateUiPathCertificate -NewTokenSigningThumbprint <thumbprint> -SiteName UiPathOrchestrato
- Open certlm.msc
- Under the Personal node, find the new SSL certificate
- Right click->All Tasks->Manage Private Keys
- Click Add
- Change the location to the current computer.
- Add the user 'IIS APPPOOL\Identity' and give the user Full control and Read