SSL Certificate upgrade validation

system · January 3, 2025, 4:46pm

How to check if the certificate is updated?

Issue Description: How to check if the SSL certificate was done correctly?

Resolution: Run this PowerShell (Make sure to run it with admin rights)

This PowerShell will help to validate all this steps:

# Import the Web Administration module for IIS management

Import-Module WebAdministration

function Pause {

Read-Host "Press any key to continue..."

}

function GetThumbprintFromIIS {

# Retrieve the thumbprint from the specified IIS site

$siteName = "UiPath Orchestrator"

$binding = Get-WebBinding -Name $siteName | Where-Object { $_.Protocol -eq 'https' }

return $binding.CertificateHash

}

function ValidateThumbprint {

# Logic for Thumbprint Validation

$thumbprintIIS = GetThumbprintFromIIS

if ($null -eq $thumbprintIIS) {

Write-Host "No HTTPS binding found for site $siteName" -ForegroundColor Red

Pause

return

}

$hostname = $binding.Host

if (-not [string]::IsNullOrWhiteSpace($hostname)) {

$url = "https://$hostname/"

Write-Host "URL for site $siteName is $url" -ForegroundColor Green

} else {

Write-Host "No hostname specified for the HTTPS binding of site $siteName. It might be using IP address for binding." -ForegroundColor Yellow

}

# Access the appsettings.Production.json file

$jsonPath = "C:\Program Files (x86)\UiPath\Orchestrator\Identity\appsettings.Production.json"

$rawJson = Get-Content -Path $jsonPath -Raw

# Correct common errors related to the thumbprint value

$corrected = $false

# Check if there are no quotes at all

if ($rawJson -match '"Name":\s*([^"\s]+),') {

$rawJson = $rawJson -replace '"Name":\s*([^"\s]+),', '"Name": "$1",'

$corrected = $true

}

# Check for a missing starting quote

if ($rawJson -match '"Name":\s*([^"\s]+)",') {

$rawJson = $rawJson -replace '"Name":\s*([^"\s]+)",', '"Name": "$1",'

$corrected = $true

}

# Check for a missing ending quote

if ($rawJson -match '"Name":\s*"([^"]+),') {

$rawJson = $rawJson -replace '"Name":\s*"([^"]+),', '"Name": "$1",'

$corrected = $true

}

# Convert the possibly corrected raw JSON to a PowerShell object

$jsonContent = $rawJson | ConvertFrom-Json

$thumbprintJSON = $jsonContent.AppSettings.SigningCredentialSettings.StoreLocation.Name

if ($null -eq $thumbprintJSON -and $corrected) {

Write-Host "Attempted to correct thumbprint format, but the corrected value is still null. Manual intervention required." -ForegroundColor Red

Pause

return

}

# Backup the original JSON file to the Desktop before making changes

$desktopPath = [System.Environment]::GetFolderPath("Desktop")

$backupPath = Join-Path $desktopPath "appsettings.Production.backup.json"

Copy-Item -Path $jsonPath -Destination $backupPath

# Compare the thumbprints retrieved from IIS and JSON, then decide next steps

if ($thumbprintIIS -ieq $thumbprintJSON) {

Write-Host "Correct Thumbprint" -ForegroundColor Green

Start-Sleep -Seconds 3

} else {

Write-Host "Invalid thumbprint in JSON file, do you want to update it? (Y/N)" -ForegroundColor Yellow

$response = Read-Host

if ($response -ieq 'Y') {

# Update the thumbprint in the JSON file

$jsonContent.AppSettings.SigningCredentialSettings.StoreLocation.Name = $thumbprintIIS

# Convert the updated content back to JSON format

$formattedJson = $jsonContent | ConvertTo-Json -Depth 10

# Adjust the indentation for clarity

$formattedJson = $formattedJson -replace ' ', ' '

# Save the corrected JSON back to the file

Set-Content -Path $jsonPath -Value $formattedJson -Force

Write-Host "Thumbprint updated successfully in the JSON file." -ForegroundColor Green

Write-Host "After updating the JSON file, an IISRESET is required. Do you want to proceed? (Y/N)" -ForegroundColor Yellow

$response = Read-Host

if ($response -ieq 'Y') {

try {

Write-Host "IISRESET in process.." -ForegroundColor Yellow

iisreset

# Open in default browser

Start-Process "https://$url"

} catch {

Write-Host "Error: $_.Exception.Message" -ForegroundColor Red

if ($_.Exception.Message -like "*Access denied*") {

Write-Host "You need administrative privileges to perform an IIS reset." -ForegroundColor Red

}

} else {

Write-Host "Operation terminated without performing IIS reset." -ForegroundColor Yellow

}

} else {

Write-Host "Process terminated without updating the thumbprint." -ForegroundColor Yellow

}

function GrantPrivateKeyAccess {

# Logic for Private Key access

# Thumbprint from certificate

$thumbprint = GetThumbprintFromIIS

# Your Private Key access code starts here

$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $thumbprint}

if ($null -eq $cert) {

Write-Host "Certificate not found." -ForegroundColor Red

Pause

return

}

$privateKeyPath = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

if ($null -eq $privateKeyPath) {

Write-Host "The certificate does not have an associated private key." -ForegroundColor Red

Pause

return

}

$keyPath = Join-Path -Path $env:ProgramData -ChildPath "Microsoft\Crypto\RSA\MachineKeys\$privateKeyPath"

$acl = Get-Acl -Path $keyPath

if ($acl.Access | Where-Object { $_.IdentityReference -eq 'IIS_IUSRS' }) {

Write-Host "IIS_IUSRS already has access to the certificate's private key." -ForegroundColor Green

Pause

return

} else {

$permission = "IIS_IUSRS","FullControl","Allow"

$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

$acl.AddAccessRule($accessRule)

Set-Acl -Path $keyPath -AclObject $acl

Write-Host "Access granted to IIS_IUSRS for the certificate's private key." -ForegroundColor Green

Pause

return

}

# Don't exit script, just return to the menu

}

function CheckIISStatus {

param (

[string]$siteName = "UiPath Orchestrator"

)

# Attempt to get the site's status from IIS

try {

$site = Get-Website | Where-Object { $_.Name -eq $siteName }

# Check if the site was found

if ($null -eq $site) {

Write-Host "Site $siteName not found in IIS." -ForegroundColor Red

return

}

# Check the site's status

switch ($site.State) {

"Started" {

Write-Host "Site up and running!" -ForegroundColor Green

Start-Sleep -Seconds 3

}

default {

Write-Host "Error: Site not working." -ForegroundColor Red

Write-Host "Reason: $($site.State)" -ForegroundColor Yellow

Start-Sleep -Seconds 3

}

} catch {

Write-Host "Error encountered while checking site status: $_" -ForegroundColor Red

Start-Sleep -Seconds 3

}

# Main loop for menu

do {

Clear-Host

Write-Host "Please select an option:"

Write-Host "1 - Private Key access"

Write-Host "2 - Thumbprint validation"

Write-Host "3 - All process"

Write-Host "Q - Quit"

$input = Read-Host "Enter your choice"

switch ($input) {

'1' {

GrantPrivateKeyAccess

}

'2' {

ValidateThumbprint

}

'3' {

GrantPrivateKeyAccess

ValidateThumbprint

}

'Q' {

break

}

} while ($input -ne 'Q')

Topic		Replies	Views
Access rights to the private key of the SSL certificate for platform configuration tool Orchestrator orchestrator , question , platform-configuration-tool	4	1453	January 5, 2023
Update/Renew Orchestrator Certificate Post Tasks Tutorials orchestrator , robot , identityserver	7	9535	August 1, 2023
Changing The SSL Certificate For UiPath Orchestrator Website Knowledge Base orchestrator	1	19971	September 25, 2023
Change SSL certificate after using Self-sign Certificate at Orchestrator Orchestrator orchestrator , question	5	3226	July 18, 2021
Orchestrator error after Update SSL certificate Orchestrator orchestrator , question , urgent	2	114	June 16, 2025

SSL Certificate upgrade validation

How to check if the certificate is updated?

Related topics