SSL Certificate Requirements for Orchestrator - Can't change SSL Certificate

jvalbuena · September 9, 2020, 9:40pm

Hi everyone!!! I have a simple question related to the instalation of a SSL Certificate.

Basically, we got a new SSL Certificate (not a self signed) and I tried to update the certificate info in Orchestrator based on this article (Using a Certificate for the HTTPS Protocol) but once I do that, Orchestrator stop working so I had to go back and keep using de Self Signed Certificate.

I think the problem is beacuse the certificate is “Issued to” a different “machine”, for example, the Orchestrator server hostname is abc.company.net but the Certificate is “issued to” a sort of an alias like orchestrator.company.net.

In short words I suppose that the main problem is regarded to the hostname used in the “Issued to” certificate so I would appreciate if somebody could confirm this.

Thank you so much in advanced.

oddrationale · September 10, 2020, 1:42am

You’re correct. Your hostname needs to match what is in your certificate. Some certificates have wild cards in the hostname. E. G., *.company.net. So a wild card certificate like that would also work.

jvalbuena · September 10, 2020, 12:56pm

Thank you so much for your answer, so basically the CN (Common Name) needs to match de hostname or I can use wildcards so we may use the certificate in other servers that keep the same domain.

Thank you again.

Maneesha_de_silva · September 10, 2020, 5:21pm

hi @jvalbuena
I hope you are doing this on On prem Enterprise Level

Try This ,
Ask your Windows admin to log on to this Orchestrator Server via Domain Admin Login , then install the certificate . Then login again your windows login and try to up your Certificate

jvalbuena · September 11, 2020, 5:03pm

Yes I’m doing it with an On Premise Orchestrator. Thank you so much for your answer. Doing the steps you explained will change the Issued to or Common name of the Certificate?

codemonkee · November 9, 2020, 8:46pm

This is not entirely accurate. I would say use your Common Name (CN) for the FQDN that will more commonly be used. In addition to the CN that the certificate is issued to you also have the Subject Alternative Names (SAN). (To my knowledge some clients / browsers will ignore the CN if SANs are available).

For our setup we have load-balanced Orchestrators using the same certificate
CN = UiPath.domain
SAN
DNS Name = UiPath.domain
DNS Name = node1
DNS Name = node1.domain
DNS Name = node2
DNS Name = node2.domain
IP Address = (IP of LB)
IP Address = (IP of Node1)
IP Address = (IP of Node2)

If for example I were to take UiPath.domain out of the SAN, Chrome will throw a ERR_CERT_COMMON_NAME_INVALID.

You of course can use Wild Card designations with the CN and SAN.

Topic		Replies	Views
Exception: Orchestrator Installation \|\| IIS Settings Page Orchestrator orchestrator , question	9	1502	November 16, 2021
Replacing ssl certificates for orchestrator Help orchestrator	1	4181	October 28, 2020
Change SSL certificate after using Self-sign Certificate at Orchestrator Orchestrator orchestrator , question	5	2808	July 18, 2021
SSL Certificate Orchestrator Orchestrator orchestrator , question	1	174	February 1, 2024
Orchestrator 20.4 upgrade: Certificate subject not trusted on this machine? Orchestrator orchestrator	7	3702	November 10, 2020

Most Active Users - Yesterday
ashokkarale
Anil_G
Yoichi
yangyq10
postwick
chandreshsinh.jadeja
aravindbalineni123
Parvathy
aya
PRASHANT_GABHANE
More details...

SSL Certificate Requirements for Orchestrator - Can't change SSL Certificate

Related Topics