How to create self-signed certificate for Automation Suite and update it

Scenario: When the Automation Suite certificate got expired, we need to update it. The suggestion from our official documentation is to create certificate signed by Tusted Certificate Authority(CA). But for some customer, they want to use self-signed certificate and update it. So what steps can we take to achieve it?

Solution: We can follow the steps below.

1. First we need to generate the certificates, we can use the script below. Please change modify the 'automationsuite.mycompany.com' in the code with the customer FQDN, the code will generate server.crt, server.key and RootCA.crt(valid for 365 days) which will be used as the new certificates.

function create_certs_with_expiry() {

local folder="$1"

local dns_list="$2"

local days="$3"

local counter=1

IFS=',' read -a dnsArray <<< "$dns_list"

mkdir -p $1

cd $1

openssl genrsa -des3 -out rootCA.key -passout pass:12345 2048

openssl req -x509 -new -nodes -key rootCA.key --passin pass:12345 -sha256 -days "${days}" -out rootCA.crt -subj "/C=US/ST=NY/O=UiPath, Inc./CN=UiPath, Service Fabric"

echo -e "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = @alt_names\n[alt_names]" > v3.ext

for i in "${dnsArray[@]}"

do

printf "%s\n" "DNS.$counter = $i" >> v3.ext

counter=$((counter+1))

done

openssl req -new -nodes -out server.csr -newkey rsa:2048 -keyout server.key -subj "/C=US/ST=NY/O=UiPath, Inc./CN=Service Fabric"

openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key --passin pass:12345 -CAcreateserial -out server.crt -days "${days}" -sha256 -extfile v3.ext

openssl pkcs12 -export -out identity.pfx -inkey rootCA.key -in rootCA.crt --passin pass:12345 -passout pass:12345

cd ..

}

function trigger_cert_updation_with_expiry() {

local fqdn=$1

create_certs_with_expiry "/root/new_certificate" "${fqdn},*.${fqdn}" 365

}

trigger_cert_updation_with_expiry "automationsuite.mycompany.com"

2.After that, we can follow the steps below to update the certificate.

1) Adding the CA certificate to the host trust store

cp rootCA.crt /usr/share/pki/ca-trust-source/anchors

update-ca-trust

2) Update the server certificate

sudo ./configureUiPathAS.sh tls-cert update --ca-cert-file /cert/rootCA.crt --tls-cert-file /cert/server.crt --tls-key-file /cert/server.key

3) Update the identity token signing certificate(use the server certificate as identity token signing certificate)

sudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /cert/server.crt --cert-key-file-path /cert/server.key

4) Rotate identity token-signing certificate

sudo ./configureUiPathAS.sh identity token-cert rotate