Why has my Orchestrator become inaccessible after a certificate change? OR Why is my Orchestrator certificate throwing a key-related exception?

Issue Description

As we know, the Orchestrator is integrated with the Identity Server which is responsible for centralized authentication and access control across all UiPath products. For security reasons, the certificate used by the Identity Server needs to have a private key accessible by the AppPool user, hence making an exportable private key a mandatory requirement for certificates.

Sometimes, the Orchestrator might become inaccessible (mostly with a 500 error) due to an issue with the certificate's private key. As such, when you attempt to manage the private keys of this certificate (by right clicking on the Cert, and choosing "All Tasks", "Manage Private Keys"), you might see the following prompt:

36169591-dd36e82c-10b9-11e8-9f53-e9b40dbfa6b2.png616×388 28.4 KB

In such a scenario, you will often encounter the following System logs within the Event Viewer of the Orchestrator machine:

• An error occurred while using SSL configuration for endpoint 0.0.0.0:443.
• A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D.

Resolution

Follow the steps below:

1. Firstly, open the Orchestrator certificate and check if it has a private key attached to it. You can check the "Key" icon, as highlighted below, to validate this.
2. If the issue surfaced after a recent certificate update, it is a good idea to check if:
   • The new certificate follows all prerequisites as per: HTTPS Certificate Prerequisites.
   • If all steps from this article have been followed: Changing The SSL Certificate For UiPath Orchestrator Website.
3. If the issue still persists, try repairing the private keys of the certificate as described below:
   • Open the certificate, navigate to the "Details" tab, and retrieve the thumbprint of the certificate.
   • Open Command Prompt in admin mode and run the command: certutil –repairstore my <Certificate Thumbprint>
   • Upon the successful run of the above command, you should see a screen like the one below:
4. Delete the certificate from IIS (by opening the "Server Certificates" under the IIS section) and try assigning a new private key to the certificate by following the steps in Assign a private key to a new certificate after deleting the original certificate in IIS.
5. If repairing the certificate's private key or assigning a new one doesn't resolve the issue, try deleting the certificate from the Certificate Manager (MMC) of the Local Machine and re-import it.
6. If none of the above steps help, kindly consider getting a new certificate issued for your Orchestrator. If your Orchestrator is down and you need some time to obtain a CA-issued certificate, the quickest workaround would be to generate a self-signed certificate to get your Orchestrator functional. You can always switch to a more secure domain certificate at a later point once you have the certificate handy.
   • To generate a self-signed certificate, you can run this simple PowerShell script: Creating a Self-Signed SSL Certificate on the Primary Orchestrator Machine.
7. If you seem to be repeatedly encountering this issue on your machines, consider raising a Microsoft Support Ticket for further investigation. Here are some interesting discussions:
   • Windows server 2019 randomly removes private key associated with working fpx
   • SCEP Private keys go missing