SSL/TLS Certificates - Additional Procedures

For reference, see SSL/TLS Requirements.

If required, this procedure must be completed prior to Nintex RPA server installation. Therefore, you should begin by downloading and installing OpenSSL (if not previously installed).

If you need to change an SSL certificate after installation, contact the support team.

TLS v1.3 is supported.

  1. Download the OpenSSL utility from this location:

    https://slproweb.com/products/Win32OpenSSL.html

    • Version to download: Win64 OpenSSL v1.1.1c Light (select the EXE file option)

  2. Install using the default options provided by the installation package.

You can elect to manually prepare the additional certificate files required for Nintex RPA server installation (as opposed to letting the Nintex RPA server installation package do so). To manually prepare the certificate files, follow these steps:

  1. Copy the certificate (in *.pfx format) to an easy-to-access location (e.g., Desktop) on the machine on which you will install the Nintex RPA server.

  2. Double-click the *.pfx certificate.

    The Windows Certificate Import Wizard will open.

  3. Select the Local Machine option.

  4. Confirm the file to import (the file you clicked on to open the wizard).

  5. Enter the certificate password.

  6. Maintain the default Import options settings.

  7. Select the Automatically select the certificate store option.

  8. Review your settings and click the Finish button.

    You will receive a confirmation that the certificate was imported successfully.

  1. From the lower left corner Windows icon, run MMC (Microsoft Management Console) as administrator.

    If MMC does not pop up as an option when typing it from the Windows icon, open it instead by typing Run, then entering MMC in the Run dialog.

  2. From the File menu, select Add/Remove Snap-in...

  3. From the Available snap-ins list, select Certificates, and click the Add > button.

  4. Select the Computer account option.

  5. Select the Local computer option, then click the Finish button.

  6. The Certificates snap-in will now appear in the left-hand column of the Add or Remove Snap-ins window under Console Root.

  7. Click the OK button to return to the main MMC screen.

  8. From the left pane (the folder tree), navigate to Console Root > Certificates (Local Computer) > Personal > Certificates.

    A list of certificates will appear in the middle pane.

  9. Right-click on the relevant certificate, select All Tasks > Export...

  10. The Windows Certificate Export Wizard will open.

  11. Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) file format.

  12. Save the file to an easily-accessible location on the server with the nameca-bundle.p7b.

  13. Review your settings and click the Finish button.

    The file will be exported to the selected location, and you will receive a confirmation that the certificate was exported successfully.

  1. From Windows File Explorer, navigate to the folder: C:\Program Files\OpenSSL-Win64\bin\

  2. Run the file openssl.exe as administrator.

  3. From the OpenSSL> command prompt, run the following command:

    pkcs7 -in {p7b file location}\ca-bundle.p7b -inform DER -print_certs -out {desired file location}\ca-bundle.pem

    • Example:pkcs7 -in C:\Users\localadmin\Desktop\ca-bundle.p7b -inform DER -print_certs -out C:\Users\localadmin\Desktop\ca-bundle.pem

    You will be returned to the OpenSSL> command prompt, and a file called ca-bundle.pem will be created in the specified location.

  1. From the OpenSSL> command prompt, run the following command:

    pkcs12 -in {pfx file location}\{pfx filename}.pfx -clcerts -nokeys -out {desired file location}\{FQDN_of_RPA_Server}.crt

    • Example:pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -clcerts -nokeys -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.crt

  2. Enter the certificate password when prompted.

    You will be returned to the OpenSSL> command prompt, and a file called {FQDN_of_RPA_Server}.crt will be created in the specified location.

  1. From the OpenSSL> command prompt, run the following command:

    pkcs12 -in {pfx file location}\{pfx filename}.pfx -nocerts -out {desired file location}\{FQDN_of_RPA_Server}.pem -nodes

    • Example:pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -nocerts -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -nodes

  2. Enter the certificate password when prompted.

    You will be returned to the OpenSSL> command prompt, and a file called {FQDN_of_RPA_Server}.pem will be created in the specified location.

  1. From the OpenSSL> command prompt, run the following command:

    rsa -in {pem file location}\{pem filename}.pem -out {desired file location}\{FQDN_of_RPA_Server}.key

    NOTE: The PEM file referred to in this step is the file created in step #4 above (NOTca-bundle.pem created in step #2).

    • Example:rsa -in C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.key

    You will be returned to the OpenSSL> command prompt, and a file called {FQDN_of_RPA_Server}.key will be created in the specified location.

Be sure to keep all the files utilized/created in this section in an easily accessible location until after Nintex RPA server installation. You should also save them to a safe location for backup purposes.

 

-Take me back to the relevant step in the Nintex RPA Installation Guide-