Solved

SSL Certificate on all Bot machines

  • 12 September 2023
  • 8 replies
  • 39 views

Badge +6

Hallo,

I have a CR (On-prem AA360 v.24) configured for Self-Signed SSL certificate. There’s an unconvinience in the certificate having to be manually installed on all of the Client Machines.

Is there a way to somehow make this self-signed certificate trusted by the domain withiout being manually installed?

Otherwise, what certificates should I get from IT (network dept) to switch to?

Would This external certificate replace self-signed and in the result the client’s machines would trust the CR certificate?

greetings Michal 

icon

Best answer by ravi.pothana 13 September 2023, 08:29

View original

8 replies

Userlevel 2
Badge +6

Hi @MichalTurek 

Please take a look at the following documentation on how to deploy self-signed SSL certificates using GPO in your domain.

https://apeople.automationanywhere.com/s/article/How-to-Deploy-SSL-Certificate-on-a-Computers-Using-GPO   

Self signed certificates are typically used for development and testing purposes. For production use, it is best to obtain a external certificate from a trusted certificate authority.

Please request your IT team to obtain an external certificate from a trusted certificate authority for the domain you have the control room configured. 

Below is the documentation on how to import/modify the certificate from self-signed to external certificate in Control Room.

https://docs.automationanywhere.com/bundle/enterprise-v2019/page/enterprise-cloud/topics/deployment-planning/on-prem-install/cloud-config-control-room-https-import-cert.html 

For multiple control rooms model, you can also provision a load balancer infront of control rooms to reduce load from TLS handshake through hardware offloading, when supported by the load balancer.

https://docs.automationanywhere.com/bundle/enterprise-v2019/page/enterprise-cloud/topics/deployment-planning/on-prem-install/cloud-load-balancer-settings-deploy.html 

Badge +6

Thanks @ravi.pothana ,

Unfortunateli I don’t have an access for the resource:

https://apeople.automationanywhere.com/s/article/How-to-Deploy-SSL-Certificate-on-a-Computers-Using-GPO   

Could You please provide the content of the article?

 

Thanks

Badge +6

@ravi.pothana one more thing,

refering to “external certificate from a trusted certificate authority” You mean the CA certificate, importing by a command:

“ - For Windows CA certificate, enter the command:

jdk11\bin\java -jar certmgr.jar -appDir "C:\Program Files\Automation Anywhere\Automation360" -importTrustCert "D:\<user name>\My Downloads\CA31.cer"

?

 

Userlevel 2
Badge +6

Hi @MichalTurek,

A Windows CA certificate is a certificate issued by a Microsoft Certificate Authority (CA). 

Certificate Authorities usually provides a .pfx that can be imported using the below command in A360.

jdk11\bin\java -jar certmgr.jar -appDir "C:\Program Files\Automation Anywhere\Automation360" -setServerCert "C:\Users\cradmin\Desktop\test_automationanywhere_com.pfx" -privateKeyPass <PFX Password>

In some cases If certificate file does not contain any intermediate certificates, then copy all the intermediate certificates to a directory on your device and use the directory path in the following command.

jdk11\bin\java -jar certmgr.jar -appDir "C:\Program Files\Automation Anywhere\Automation360" -setServerCert "<path to P12/PKCS12 certificate file>" -privateKeyPass <cert file password> -intermediateCertDir "<path to unzipped certs directory>"

 

Badge

Hello @MichalTurek ,

Also, to add to above, External certificates (e.g. godaddy, digicert etc) are cost bound and only required if you are going to access Control Room over the internet.

If you intend to keep Control Room (and whole RPA foot print) internal to your organization only, then you only need and organization level enterprise server certificate, that is usually issued by your Org’s network/security team.
You can request the certificate which fulfils following requirements. Give these parameters to your network/security team and they should be able to give you right certificate.

https://apeople.automationanywhere.com/s/article/Required-properties-to-be-set-during-SSL-certificate-creation

 

Badge +6

Hello @MichalTurek ,

Also, to add to above, External certificates (e.g. godaddy, digicert etc) are cost bound and only required if you are going to access Control Room over the internet.

If you intend to keep Control Room (and whole RPA foot print) internal to your organization only, then you only need and organization level enterprise server certificate, that is usually issued by your Org’s network/security team.
You can request the certificate which fulfils following requirements. Give these parameters to your network/security team and they should be able to give you right certificate.

https://apeople.automationanywhere.com/s/article/Required-properties-to-be-set-during-SSL-certificate-creation

 

Thank You @DhwanitParekhApeople ,

again, I don’t have an ccess to the article:

https://apeople.automationanywhere.com/s/article/Required-properties-to-be-set-during-SSL-certificate-creation

Could You please pass the content. thank You,

Badge

@MichalTurek ,

Aren’t you able to register for Apeople forum ?

https://apeople.automationanywhere.com/s/?language=en_US
 

Go to Login.
 


Click Register Now

 

 

Fill in the respective details and you should be good to register.
Nonetheless, I have posted the content of above article as well in the next reply post.

Badge

 

Instructions

There are basically different scenarios for which entries of server FQDN / Load Balancer URL / DNS Alias URL in certificate fields vary. And based on which the process of certificate generation must be taken care of.

For all scenarios, the below requirements remain the same.

  1. The certificate must have ".pfx" extension(PKCS#12 format certificate). For this, the certificate private key must be marked as exportable while generating the certificate. Without this, the certificate will become unusable for application.

  2. The certificate must have a complete chain in the "Certification Path" tab. (root + intermediate + server)

  3. Both - Third-party CA and Enterprise CA-issued certificates are supported. 

    Third-party CA-issued certificate (must be purchased by the security team) is only required if RPA / IQ Bot application will be accessed over the internet. 

For all internal communication, Enterprise CA issued certificate is more than enough.

  1. It can be generated from a Base64 encoded (X509) certificate (.cer file) if it does meet the following requirements.
  2. A self-signed certificate must only be used for POC environments.  For any actual environment, they don't serve the purpose and hence, should not be used.  

The requirements mentioned below are specific to how environments are set up.

 

If there is only 1 Control Room node in the environment (Standalone mode set up)

  1. CR server FQDN and/OR DNS Alias name in CN of the Subject field of the certificate
  2. CR server FQDN and/OR DNS Alias name in Subject Alternative Name (SAN) field of the certificate.

Reply