Automation Suite requires two certificates at the time of installation.
- Server certificate — required for TLS communication between the client and the cluster;
- Identity token-signing certificate — required to sign the authentication token.
The installation process generates self-signed certificates on your behalf, but we recommend updating these with certificates signed by a trusted certificate authority as soon as installation completes.
Aside from the above certificates, you may need to provide additional trusted CA certificates if you want the cluster to trust external services. Example: SQL Server CA Certificate, SMTP Server CA Certificate, etc.
The server certificate must meet the following requirements:
- File format should be
.pem, i.e., Base64 encoded DER certificate;
- Private key length should be at least 2048;
- Extended Key Usage: TLS Web Server Authentication; required for accessing Automation Suite on iOS devices;
- Certificate key must be decrypted. If the key is encrypted, run the following command to decrypt it:
# replace /path/to/encrypted/cert/key to absolute file path of key # replace /path/to/decrypt/cert/key to store decrypt key # Once prompted, please entry the passphrase or password to decrypt the key openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key
- Should have Subject Alternative Name for all the DNS entries required for installing Automation Suite. If the FQDN for the cluster is
automationsuite.mycompany.com, the certificate SAN should have the following DNS:
Alternatively, if the
*wildcard is too generic, make sure you have SAN entries for the following DNS:
Automation Suite requires three files at the time of installation, as follows:
- Server / TLS certificate file — the server’s public certificate file.
- Server / TLS key file — private key file for the server certificate.
- Certificate Authority Bundle — this is the Public Certificate of CA which is used to sign or issue the server certificate.
Automation Suite has the following requirements in terms of token-signing certificates at the time of installation:
- File format should be
pkcs12to sign the authentication token;
- Password for signing the certificate is requires.
If an identity token signing certificate is not provided, Automation Suite uses the server certificates to generate the one at the time of installation.
We generate certificates on your behalf at installation time, so no configuration is needed.
They have a 90-day lifecycle, so you need to update them within that time. However, we strongly recommend that you update those certificates as soon as installation completes.
We recommend that the certificates you bring are signed by a trusted certificate authority.
If the trusted certificate is not provided, then few additional steps are required for self-signed certificate to access Automation Suite.
The installation bundle provides a cluster management tool that enables you to update certificates post-installation.
To access it, navigate to the location of the installer bundle:
If you are using self-signed certificate, take the following steps to access the cluster:
You need to add CA (Certificate Authority) Bundle certificate to the trust store for the following:
- Client machine
- Machine on which robot is will run
- Machine on which you will access Automation Suite from the browser.
- First server machine (requirement for air-gapped)
- Machine on which air-gapped bundle will be downloaded and extracted.
Use the following command to add the certificate to the trust store of the RHEL machine.
sudo cp --remove-destination rootCA.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
Updated about a month ago