SSL Certificate Requirements for Orchestrator - Can't change SSL Certificate

Hi everyone!!! I have a simple question related to the instalation of a SSL Certificate.

Basically, we got a new SSL Certificate (not a self signed) and I tried to update the certificate info in Orchestrator based on this article (https://docs.uipath.com/installation-and-upgrade/docs/using-a-certificate-for-the-https-protocol#importing-an-acquired-web-certificate) but once I do that, Orchestrator stop working so I had to go back and keep using de Self Signed Certificate.

I think the problem is beacuse the certificate is “Issued to” a different “machine”, for example, the Orchestrator server hostname is abc.company.net but the Certificate is “issued to” a sort of an alias like orchestrator.company.net.

In short words I suppose that the main problem is regarded to the hostname used in the “Issued to” certificate so I would appreciate if somebody could confirm this.

Thank you so much in advanced.

1 Like

You’re correct. Your hostname needs to match what is in your certificate. Some certificates have wild cards in the hostname. E. G., *.company.net. So a wild card certificate like that would also work.

Thank you so much for your answer, so basically the CN (Common Name) needs to match de hostname or I can use wildcards so we may use the certificate in other servers that keep the same domain.

Thank you again.

hi @jvalbuena
I hope you are doing this on On prem Enterprise Level

Try This ,
Ask your Windows admin to log on to this Orchestrator Server via Domain Admin Login , then install the certificate . Then login again your windows login and try to up your Certificate

Yes I’m doing it with an On Premise Orchestrator. Thank you so much for your answer. Doing the steps you explained will change the Issued to or Common name of the Certificate?

This is not entirely accurate. I would say use your Common Name (CN) for the FQDN that will more commonly be used. In addition to the CN that the certificate is issued to you also have the Subject Alternative Names (SAN). (To my knowledge some clients / browsers will ignore the CN if SANs are available).

For our setup we have load-balanced Orchestrators using the same certificate
CN = uipath.domain
SAN
DNS Name = uipath.domain
DNS Name = node1
DNS Name = node1.domain
DNS Name = node2
DNS Name = node2.domain
IP Address = (IP of LB)
IP Address = (IP of Node1)
IP Address = (IP of Node2)

If for example I were to take uipath.domain out of the SAN, Chrome will throw a ERR_CERT_COMMON_NAME_INVALID.

You of course can use Wild Card designations with the CN and SAN.

1 Like