Orchestrator
latest
false
  • Orchestrator Mobile App
      • 2019 Fast Track 1.0
      • 2019 Fast Track 2.0
      • 2019 Fast Track 3.0
      • 3.10.2
    • Push Notifications
    • Favorite Processes
    • Favorite Jobs
    • Mobile Device Management
    • IOS - Root Certificate Authority
Banner background image
Orchestrator Mobile User Guide
Last updated Nov 13, 2023

IOS - Root Certificate Authority

Overview

While connecting to your Orchestrator instance using the Orchestrator app on a iOS mobile device, you may run into an SSL or ATS certification issue.

docs image

The procedure below helps you to resolve this issue by installing and trusting the root SSL certificate directly to your iOS mobile device.

Finding the Root Certificate Authority

The first step in fixing the certificate issue is to ensure your iOS mobile device sees the Root Certificate Authority of your Orchestrator instance. This helps your iOS mobile device to correctly identify and import the certificate.

On the machine that hosts your Orchestrator installation:

  1. Open Internet Information Services (IIS) Manager.
  2. Navigate to Sites > UiPath Orchestrator.
  3. On the right side, in the Actions panel, click Bindings.... The Site Bindings window opens.
  4. Select your Orchestrator instance binding URL and click Edit... . The Edit Site Binding window opens.
  5. The SSL certificate field displays the name of your Orchestrator certificate. For more details about it, click View... .

  6. Switch to the Details tab. Search for Issuer and Subject fields. There are two cases:

    • The Issuer and Subject values are the same: The SSL certificate selected at step 5 is your Root Certificate. Continue with Exporting the Root Certificate Authority, as described below.

    • The Issuer and Subject values are different: The SSL certificate selected at step 5 is not your Root Certificate. In this case, continue with the procedure below.

To find the Root Certificate using the Certificate Manager:

  1. Open the Run command window, type certmgr.msc, and press OK.
  2. Navigate to Trusted Root Certification Authorities > Certificates. Search for the certificate that matches the Issuer from the previous procedure (step 6).
  3. Double click to open the Certificate window.

  4. Switch to the Details tab. In the properties list, select Basic Constraints. There are two cases:

    • The bottom panel displays Subject Type=CA: Your Root Certificate Authority is configured correctly. Jump to the section Exporting the Root Certificate Authority.
    • The bottom panel does not display Subject Type=CA: You need to create a new certificate (see below) that includes the Root Certificate Authority, import it to the certificate stores (see below), and set it to your Orchestrator instance (see below).

To create a Root Certificate Authority:

Use PowerShell to create a new certificate. It is important to include -TextExtension @("2.5.29.19={text}cA=true) in the script.

Sample script

$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true")
$rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE-Force -AsPlainText
$rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint
$rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert
$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE-Force -AsPlainText
$path = ‘cert:\localMachine\my\’ + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true")
$rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint
$rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert
$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$path = ‘cert:\localMachine\my\’ + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd

If you want to create a Root Certificate Authority that signs a separate certificate, use the script template below: 

$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true") $rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE-Force -AsPlainText $rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint $rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert $pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE-Force -AsPlainText $path = ‘cert:\localMachine\my\’ + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true") $rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint $rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert $pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $path = ‘cert:\localMachine\my\’ + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd

To import the certificate:

  1. Double-click on the .PFX file created by the PowerShell script. The Certificate Import Wizard opens.
  2. Select Local Machine and click Next.
  3. On the Certificate Store page of the wizard, select Place all certificates in the following store, set the Certificate store to Personal, and click Next .
  4. Finish the importing.
  5. Repeat the steps above, but this time set the Certificate store from step 3 to Trusted Root Certificate Authorities.

After you import the new certificate into both certificate stores, set it to your Orchestrator instance.

To set the new certificate to Orchestrator:

  1. Open Internet Information Services (IIS) Manager.
  2. Navigate to Sites > UiPath Orchestrator.
  3. On the right side, in the Actions panel, click Bindings.... The Site Bindings window opens.
  4. For each site binding, click Edit... . The Edit Site Binding window opens.

  5. From the SSL certificate field, select the new certificate and click OK.

    Important: Make sure to update the certificate for every site binding.
  6. After you update all bindings, click Restart from the Actions panel.

Exporting the Root Certificate Authority

With the certificate properly configured, you need to export it to a format that your iOS mobile device recognizes.

  1. Open the Run command window, type certmgr.msc, and press OK.
  2. Navigate to Trusted Root Certification Authorities > Certificates and search for your Orchestrator certificate.
  3. Right-click on it and select All Tasks > Export... . The Certificate Export Wizard opens.
  4. Opt for the DER encoded binary X.509 (.CER) export format.
  5. Finish the exporting.

Trusting the Certificate

You can send the .CER file to your iOS mobile device. Tapping on the received file starts the certificate download. You are prompted by the following message:


To trust the certificate on your iOS mobile device:

  1. Go to Settings > General > Profile . The certificate is displayed under DOWNLOADED PROFILE.
  2. Click on the certificate and Install it. This verifies the certificate.
  3. Click Done and go back to the General page.
  4. Go to About > Certificate Trust Settings. The newly installed certificate is displayed under ENABLE FULL TRUST FOR ROOT CERTIFICATES. If you don't see the certificate, make sure the Basic Constraint certificate property has Subject Type=CA.
  5. If the certificate toggle is OFF, set it to ON.

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo White
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2024 UiPath. All rights reserved.