Subscribe

UiPath Automation Suite

The UiPath Automation Suite Guide

Configuring the certificates

Certificate requirements


Automation Suite requires two certificates at the time of installation.

  • Server certificate — required for TLS communication between the client and the cluster;
  • Identity token-signing certificate — required to sign the authentication token.

The installation process generates self-signed certificates on your behalf, but we recommend updating these with certificates signed by a trusted certificate authority as soon as installation completes.

📘

Note:

Aside from the above certificates, you may need to provide additional trusted CA certificates if you want the cluster to trust external services. Example: SQL Server CA Certificate, SMTP Server CA Certificate, etc.

 

Server certificate requirements


The server certificate must meet the following requirements:

  • File format should be .pem, i.e., Base64 encoded DER certificate;
  • Private key length should be at least 2048;
  • Extended Key Usage: TLS Web Server Authentication; required for accessing Automation Suite on iOS devices;
  • Certificate key must be decrypted. If the key is encrypted, run the following command to decrypt it:
# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key

openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key
  • Should have Subject Alternative Name for all the DNS entries required for installing Automation Suite. If the FQDN for the cluster is automationsuite.mycompany.com, the certificate SAN should have the following DNS:
    • automationsuite.mycompany.com
    • *.automationsuite.mycompany.com

📘

Note:

Alternatively, if the * wildcard is too generic, make sure you have SAN entries for the following DNS:
automationsuite.mycompany.com
alm.automationsuite.mycompany.com
monitoring.automationsuite.mycompany.com
registry.automationsuite.mycompany.com
objectstore.automationsuite.mycompany.com
insights.automationsuite.mycompany.com

 

Server certificate files


Automation Suite requires three files at the time of installation, as follows:

  • Server / TLS certificate file — the server’s public certificate file.
  • Server / TLS key file — private key file for the server certificate.
  • Certificate Authority Bundle — this is the Public Certificate of CA which is used to sign or issue the server certificate.

 

Identity token-signing certificate


Automation Suite has the following requirements in terms of token-signing certificates at the time of installation:

  • File format should be pkcs12 to sign the authentication token;
  • Password for signing the certificate is requires.

If an identity token signing certificate is not provided, Automation Suite uses the server certificates to generate the one at the time of installation.

 

Configuring the certificates


We generate certificates on your behalf at installation time, so no configuration is needed.

They have a 90-day lifecycle, so you need to update them within that time. However, we strongly recommend that you update those certificates as soon as installation completes.

 

Updating cluster certificates


📘

Note:

We recommend that the certificates you bring are signed by a trusted certificate authority.

If the trusted certificate is not provided, then few additional steps are required for self-signed certificate to access Automation Suite.

The installation bundle provides a cluster management tool that enables you to update certificates post-installation.

To access it, navigate to the location of the installer bundle:

cd /opt/UiPathAutomationSuite/

Manage server certificates
Manage identity token signing certificates
Manage additional CA certificates

 

Accessing a cluster that uses self-signed certificates


If you are using self-signed certificate, take the following steps to access the cluster:

You need to add CA (Certificate Authority) Bundle certificate to the trust store for the following:

  • Client machine
    • Machine on which robot is will run
    • Machine on which you will access Automation Suite from the browser.
  • First server machine (requirement for air-gapped)
    • Machine on which air-gapped bundle will be downloaded and extracted.

Use the following command to add the certificate to the trust store of the RHEL machine.

sudo cp --remove-destination rootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Updated about a month ago


Configuring the certificates


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.