UiPath Installation and Upgrade

The UiPath Installation and Upgrade Guide

Using a Certificate for the HTTPS Protocol

Importing an Acquired Web Certificate

This is the most secure method because the certificate is issued by a trusted Certification Authority. The certificate needs to be imported in IIS.

The Personal certificate store is where the Windows installer searches for the certificate based on the name you provided when prompted.

🚧

Important!

Changing the IIS SSL certificate used by Orchestrator is not automatically supported. In addition to changing the certificate in the IIS binding, you must also:

  1. Change the certificate subject in Registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\UiPath\UiPath Orchestrator\CertificateSubject
  2. For Orchestrator v2020.4+ change the certificate thumbprint in the file OrchestratorRoot\Identity\appSettings.Production.json file (in AppSettings\SigningCredentialSettings\StoreLocation\Name).
  3. Run the script provided here.

Creating a Domain Certificate on the Web Application Server

An explanation on how to create a Domain Certificate to enable the HTTPS protocol for the communication between the Robots and Orchestrator can be found in the procedures below.

In order to create a Domain Certificate, you need to install the Active Directory Certificate Services (Certification Authority) server role on a server in the domain - usually, on the Domain Controller, but not necessarily.

It is preferable to use a Domain Certificate rather than a self-signed one because no certificate has to be installed on Robot computers in the former case. The Domain Certificate is trusted by all the computers in the domain.

  1. Open IIS Manager.
  2. Select the local machine.
  3. Open Server Certificates.
  1. In the Actions panel, click Create Domain Certificate. The Create Certificate window is displayed.
  2. Provide all the required information - all the fields are mandatory.

πŸ“˜

Note:

The pattern of the input that has to be provided in the Common name field is hostname.full_domain_name. The full domain name is found in the System window in the Domain field.

In this example, the Common name is documentation.deskover.local.

  1. Click Next. The Online Certification Authority page is displayed.
  2. Click the Select button. A list of certificates is displayed.
  3. Select a certificate from the list.

🚧

Important!

If the list does not contain any item, here are some possible explanations:
You have not requested a certificate for the domain from a certificate authority yet.
The certification authority did not issue any certificate.
The application server, or the machine on which Orchestrator is installed, has been added to the domain too recently. Not all the domain policies have been applied on this computer. You can either wait or force the domain policy update.

  1. Provide a friendly name, such as OrchestratorCertificate, and then click Finish.

🚧

Important!

If you perform the actions above before installing Orchestrator, type the input entered previously in the Common name field when prompted for the certificate name during the installation process.

If Orchestrator has already been installed, change the Orchestrator site binding from HTTP to HTTPS by completing the following steps:

  1. In the Actions panel, click the Bindings button. The Site Bindings window is displayed.
  1. Click Add. The Add Binding Site window is displayed.
  2. From the Type drop-down list, select the HTTPS protocol.
    If necessary, change the value in the Port field from the default to a different one. Subsequently, the port has to be opened in the firewall as well.
  3. From the SSL Certificates drop-down list, select the name of the certificate.
  4. Click OK. Your settings are saved and the Add Site Binding window closes.
  1. In the Site Bindings window, remove the HTTP protocol from the list.

In any browser, the Orchestrator URL you need to use contains the FQDN, which is https://orchdom1.deskover.local in this example.

In the Robot Settings window, use the FQDN name preceded by HTTPS, as in the screenshot below.

No certificate needs to be installed on the Robot machines because the domain certificate is trusted by all the computers in the domain.

Creating a Self-Signed Security (SSL) Certificate and Deploying it to Client Machines

Creating a Self-Signed Certificate in IIS

  1. Open IIS Manager and select the local machine.
  2. Double-click the Server Certificate folder on the Features View. The Features View is updated accordingly.
  1. In the Actions panel, click on Create Self-Signed Certificate.
  2. Enter the friendly name of the certificate. In this example, the name is OrchestratorCertificate.
  1. The Personal option in the certificate store section does not need to be changed, so you can proceed by clicking OK. The certificate is displayed in the Server Certificates list. The Issued To column contains the fully qualified domain name (FQDN) of the current server.

All the Robots that connect to Orchestrator should use the FQDN.

The IIS server now contains the certificate, which is used by the Robots to communicate with Orchestrator securely. The public key of the certificate needs to be extracted and placed in a .cer file. The certification file has to be imported and the certificate has to be installed on each Robot machine. Find how to export the public key of the self-signed certificate in the section below.

Exporting Self-Signed Certificates

  1. Press Windows + R and type CERTLM.msc. The Certificates Local Machines application is displayed.
  2. Expand the Personal folder and click on Certificates. The list of certificates is displayed in the main panel.
  1. Right-click your certificate and select All Tasks > Export. You are prompted to export the private key.
  1. Select No and click Next. The Certificate Export Wizard window is displayed.
  1. Click Next. The Export Private Key step is displayed.
  2. The default option for the file format is DER encoded binary X.509 (.CER). It does not need to be changed, so proceed by clicking Next.
  3. Enter the location where the certificate file should be exported.
  1. Confirm your settings by clicking Finish.
  1. Copy the exported certificate with the public key to the Robot machines.

To change the Orchestrator site binding from HTTP to HTTPS:

  1. Click Add. The Add Site Binding window is displayed.
  1. From the Type drop-down list, select HTTPS.
    If necessary, change the value in the Port section from the default to a different one. Subsequently, the port has to be opened in the firewall as well.
  1. From the SSL certificate drop-down list, select the self-signed certificate and click OK. Note that the friendly name is displayed.
  2. Remove the HTTP protocol from the Site Bindings list.

In any browser, the Orchestrator URL you need to use contains the FQDN, which is https://orchdom1.deskover.local in this example.

Installing Self-Signed Certificates

Follow the steps below to install the public key of the self-signed certificate on the Robot machines.

  1. Right-click your certificate and select Install Certificate. The Certificate Import Wizard window is displayed.
  1. Select Local Machine and click Next.
  2. Click Yes to allow this app to make changes to your PC. The Certificate Import Wizard window is displayed.

If the Local Machine option or the Certificate Import Wizard window is not displayed, perform the steps spanning between 3.1 and 3.11. Otherwise, you can move on to step 4.
3.1. Start MMC.exe.
3.2. On the File menu, click Add/remove Snap-in. The Add or Remove Snap-in window is displayed.
3.3. Double-click Certificates. The Certificates Snap-in window is displayed.

. 3.4. Select the Computer account option and click Next. The Select Computer step is displayed.
3.5. Select Local computer, click Finish. The Certificates Snap-in window closes.
3.6. In the Add or Remove Snap-in window, click OK. Your setting are saved, and the Certificated for the Local Computer are displayed in the Microsoft Management Console.
3.7. Ensure the Certificates node contains the "(Local computer)" phrase. Expand the Trusted Root Certification Authorities folder and click Certificates.

. 3.8. Right-click Certificates, and select All Tasks > Import. The Certificate Import Wizard window is displayed, confirming that you are importing the certificate in the Local machine store. If the certificate is not imported in the Local machine store, it is not be recognized by the Robot.

. 3.9. Click Next. A field that enables you to browse for the certificate is displayed.
3.10. Select the file to be imported, and click Next. The Certificate Store step is displayed, which confirms that you are importing to the Trusted Root Certification Authority.

. 3.11. Click Next and then Finish. The The import was successful. message should be displayed as in the screenshot below.

. 3.12. Proceed by moving on to step 9.

  1. Select Place all certificates in the following store.
  2. Click Browse and select Trusted Root Certification Authorities from the Select Certificate Store window..
  3. Click OK, followed by Next. The Select Certificate Store window closes.
  1. In the Certificate Import Wizard, click Next. The Completing the Certificate Import Wizard step is displayed.
  2. Click Finish.
  1. Perform a logout/login on the machine. If you are not connected to the specific Robot machine that has the same user as the Robot, you need to perform the login/logout with the Robot’s user.
  2. In the Robot Settings window, you need to use the HTTPS protocol.

Firefox – Allowing Exceptions

Firefox handles the process a bit differently, as it does not read the certificate information in the Windows store. Rather than installing certificates, it allows you to define exceptions for SSL certificates on particular sites.

When you visit a site which has a certificate error, the warning message in the screenshot below is displayed. The URL you are trying to access is displayed in the blue area. To create an exception to bypass this warning on that specific URL:

  1. Click the Add Exception button. The Add Security Exception window is displayed.
  1. In the Add Security Exception window, click Confirm Security Exception to configure this exception locally.

πŸ“˜

Note:

If a particular site redirects to subdomains within itself, you may get multiple security warning prompts with slightly different URLs every time. Add exceptions for those URLs by following the steps above.

Troubleshooting Certificates

In case you encounter problems with using a certificate with UiPathOrchestrator.msi (during installation or upgrade), here is where you can start your troubleshooting:

From Control Panel:

  1. Open Manage Computer Certificates -> Personal -> Certificates. Identify your certificate and double-click it. In the General tab there should information about its validity.

  2. From a command line, run the following command to diagnose the certificate: certutil -v -verifystore My <certificateThumbprint> - its summary is at the end of the output.
    Note: You can find your certificate's thumbprint in the Details tab described at Step 1.

Internal Server Error

An internal error server may occur if the certificate does not have the appropriate permissions set. Run the following as Admin to grant the necessary permissions:

import-module WebAdministration
$siteName = 'UiPath Orchestrator'
$binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl('Access')
$permission="IIS_IUSRS","Full","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.AddAccessRule($accessRule)
Set-Acl -Path $keyFullPath -AclObject $acl

Updated 2 months ago


Using a Certificate for the HTTPS Protocol


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.