Using SSL/TLS with RPA
The following are some of the things you may need to know when utilizing SSL/TLS with RPA:
If required, this procedure must be completed prior to Nintex RPA server installation. Therefore, you should begin by downloading and installing OpenSSL (if not previously installed).
If you need to change the SSL certificate after installation, run System Manager and select the repair option. You will have the opportunity to attach the updated SSL certificate during the repair process.
SSL/TLS requirements
If you want to install the Nintex RPA Platform using SSL/TLS , you have to attach your organization's certificate during installation. It should have the following requirements:
|
File format |
PKCS #12 is PFX format (bundles a private key with its X.509 certificate) If PFX file is secured with password, customer must know it Certificate must be capable of being installed locally on server machine's personal certificate repository |
|
Issuer |
Signed by known, valid certificate authority: public CA or private CA |
|
Public key |
RSA 2048+ |
|
Signature hash |
SHA256 |
|
Enhanced key usage |
Server Authentication or Multipurpose |
|
Certificate expiration date |
It is the customer’s responsibility to make sure certificates are kept up to date |
Install OpenSSL
-
Download the OpenSSL utility from this location:
https://slproweb.com/products/Win32OpenSSL.html
-
Version to download: Win64 OpenSSL v1.1.1c Light (select the EXE file option)
-
-
Install using the default options provided by the installation package.
Manually creating individual certificate files
You can elect to manually prepare the additional certificate files required for Nintex RPA server installation (as opposed to letting the Nintex RPA server installation package do so). To manually prepare the certificate files, follow these steps:
Step 1: Install the *.pfx certificate to the Windows certificate store
-
Copy the certificate (in *.pfx format) to an easy-to-access location (e.g., Desktop) on the machine on which you will install the Nintex RPA server.
-
Double-click the *.pfx certificate.
The Windows Certificate Import Wizard will open.
-
Select the Local Machine option.
/Installation and Upgrade_74.png)
-
Confirm the file to import (the file you clicked on to open the wizard).
/Installation and Upgrade_75.png)
-
Enter the certificate password.
-
Maintain the default Import options settings.
/Installation and Upgrade_76.png)
-
Select the Automatically select the certificate store option.
/Installation and Upgrade_77.png)
-
Review your settings and click the Finish button.
/Installation and Upgrade_78.png)
You will receive a confirmation that the certificate was imported successfully.
Step 2: Export the certificate in *.p7b format
-
From the lower left corner Windows icon, run MMC (Microsoft Management Console) as administrator.
If MMC does not pop up as an option when typing it from the Windows icon, open it instead by typing Run, then entering MMC in the Run dialog.
-
From the File menu, select Add/Remove Snap-in...
-
From the Available snap-ins list, select Certificates, and click the Add > button.
/Installation and Upgrade_79.png)
-
Select the Computer account option.
/Installation and Upgrade_80.png)
-
Select the Local computer option, then click the Finish button.
/Installation and Upgrade_81.png)
-
The Certificates snap-in will now appear in the left-hand column of the Add or Remove Snap-ins window under Console Root.
/Installation and Upgrade_82.png)
-
Click the OK button to return to the main MMC screen.
-
From the left pane (the folder tree), navigate to Console Root > Certificates (Local Computer) > Personal > Certificates.
A list of certificates will appear in the middle pane.
-
Right-click on the relevant certificate, select All Tasks > Export...
/Installation and Upgrade_83.png)
-
The Windows Certificate Export Wizard will open.
/Installation and Upgrade_84.png)
-
Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) file format.
/Installation and Upgrade_85.png)
-
Save the file to an easily-accessible location on the server with the nameca-bundle.p7b.
/Installation and Upgrade_86.png)
-
Review your settings and click the Finish button.
/Installation and Upgrade_87.png)
The file will be exported to the selected location, and you will receive a confirmation that the certificate was exported successfully.
Step 3: Create the file: ca-bundle.pem
-
From Windows File Explorer, navigate to the folder: C:\Program Files\OpenSSL-Win64\bin\
-
Run the file openssl.exe as administrator.
-
From the
OpenSSL>command prompt, run the following command:pkcs7 -in {p7b file location}\ca-bundle.p7b -inform DER -print_certs -out {desired file location}\ca-bundle.pem-
Example:
pkcs7 -in C:\Users\localadmin\Desktop\ca-bundle.p7b -inform DER -print_certs -out C:\Users\localadmin\Desktop\ca-bundle.pem
You will be returned to the
OpenSSL>command prompt, and a file calledca-bundle.pemwill be created in the specified location. -
Step 4: Create a CRT file
-
From the
OpenSSL>command prompt, run the following command:pkcs12 -in {pfx file location}\{pfx filename}.pfx -clcerts -nokeys -out {desired file location}\{FQDN_of_RPA_Server}.crt-
Example:
pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -clcerts -nokeys -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.crt
-
-
Enter the certificate password when prompted.
You will be returned to the
OpenSSL>command prompt, and a file called{FQDN_of_RPA_Server}.crtwill be created in the specified location.
Step 5: Create a PEM file
-
From the
OpenSSL>command prompt, run the following command:pkcs12 -in {pfx file location}\{pfx filename}.pfx -nocerts -out {desired file location}\{FQDN_of_RPA_Server}.pem -nodes-
Example:
pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -nocerts -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -nodes
-
-
Enter the certificate password when prompted.
You will be returned to the
OpenSSL>command prompt, and a file called{FQDN_of_RPA_Server}.pemwill be created in the specified location.
Step 6: Create a KEY file
-
From the
OpenSSL>command prompt, run the following command:rsa -in {pem file location}\{pem filename}.pem -out {desired file location}\{FQDN_of_RPA_Server}.keyNOTE: The PEM file referred to in this step is the file created in step #4 above (NOT
ca-bundle.pemcreated in step #2).-
Example:
rsa -in C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.key
You will be returned to the
OpenSSL>command prompt, and a file called{FQDN_of_RPA_Server}.keywill be created in the specified location. -
Be sure to keep all the files utilized/created in this section in an easily accessible location until after Nintex RPA server installation. You should also save them to a safe location for backup purposes.