How to change the Identity Server Signing Certificate

How to change the Identity Server Signing Certificate?

Issue Description : How to change the Identity Server Signing Certificate? With 20.4+ Orchestrator now relies on the Identity Server for authentication. The Identity Server uses a signing certificate and sometimes needs to be updated.

Background : The Identity Server signing certificate is used for authentication. It is usually the same as the Orchestrator certificate, but that is not a requirement. Additionally it can be a self-signed certificate. If there are multiple Identity Server nodes, they must all reference the same signing certificate.

More information can be found at Signing Requirements .

Updating the Identity Signing Certificate

  1. Find the new certificate to be used for signing, by following below steps:
  • Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
  • Go to the personal node and locate the certificate

  • Open the certificate and go to the 'Details' tab and get the thumbprint

  • On Windows 2016 server, the thumbprint may have some special hidden characters. See the animation involving notepad++ in the following link for removing the character

  • If this step is not done, the special character will show up as a '?' when executing the command that is being constructed. It can just be deleted.
  1. Use the thumbprint to run the Platform Configuration Tool :
  • ​​​​​​​The command to run is: C:\Program Files (x86)\UiPath\Orchestrator\Tools\UiPath.Platform.Configuration.Tool\Platform.Configuration.Tool.ps1 UpdateUiPathCertificate -NewTokenSigningThumbprint <thumbprint> -SiteName UiPathOrchestrato
  1. ​​​​​​​Open certlm.msc
  2. Under the Personal node, find the new SSL certificate
  3. Right click->All Tasks->Manage Private Keys
  4. Click Add
  5. Change the location to the current computer.
  6. Add the user 'IIS APPPOOL\Identity' and give the user Full control and Read
3 Likes