SSL/TLS Certificates - Additional Procedures
For reference, see SSL/SSL/TLS Requirements.
If required, this procedure must be completed prior to Nintex RPA server installation. Therefore, you should begin by downloading and installing OpenSSL (if not previously installed).
If you need to change an SSL certificate after installation, contact the support team.
TLS v1.2 is supported.
Install OpenSSL
-
Download the OpenSSL utility from this location:
https://slproweb.com/products/Win32OpenSSL.html
-
Version to download: Win64 OpenSSL v1.1.1c Light (select the EXE file option)
-
-
Install using the default options provided by the installation package
Manually creating individual certificate files
You can elect to manually prepare the additional certificate files required for Nintex RPA server installation (as opposed to letting the Nintex RPA server installation package do so). To manually prepare the certificate files, follow these steps:
Step 1: Install the *.pfx certificate to the Windows certificate store
-
Copy the certificate (in *.pfx format) to an easy-to-access location (e.g., Desktop) on the machine on which you will install the Nintex RPA server
-
Double-click the *.pfx certificate
The Windows Certificate Import Wizard will open
-
Select the Local Machine option
/Installation and Upgrade_74.png)
-
Confirm the file to import (the file you clicked on to open the wizard)
/Installation and Upgrade_75.png)
-
Enter the certificate password
-
Maintain the default Import options settings
/Installation and Upgrade_76.png)
-
Select the Automatically select the certificate store option
/Installation and Upgrade_77.png)
-
Review your settings and click the Finish button
/Installation and Upgrade_78.png)
You will receive a confirmation that the certificate was imported successfully
Step 2: Export the certificate in *.p7b format
-
From the lower left corner Windows icon, run MMC (Microsoft Management Console) as administrator
If MMC does not pop up as an option when typing it from the Windows icon, open it instead by typing Run, then entering MMC in the Run dialog.
-
From the File menu, select Add/Remove Snap-in...
-
From the Available snap-ins list, select Certificates, and click the Add > button
/Installation and Upgrade_79.png)
-
Select the Computer account option
/Installation and Upgrade_80.png)
-
Select the Local computer option, then click the Finish button
/Installation and Upgrade_81.png)
-
The Certificates snap-in will now appear in the left-hand column of the Add or Remove Snap-ins window under Console Root
/Installation and Upgrade_82.png)
-
Click the OK button to return to the main MMC screen
-
From the left pane (the folder tree), navigate to Console Root > Certificates (Local Computer) > Personal > Certificates
A list of certificates will appear in the middle pane.
-
Right-click on the relevant certificate, select All Tasks > Export...
/Installation and Upgrade_83.png)
-
The Windows Certificate Export Wizard will open
/Installation and Upgrade_84.png)
-
Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) file format
/Installation and Upgrade_85.png)
-
Save the file to an easily-accessible location on the server with the nameca-bundle.p7b
/Installation and Upgrade_86.png)
-
Review your settings and click the Finish button
/Installation and Upgrade_87.png)
The file will be exported to the selected location, and you will receive a confirmation that the certificate was exported successfully
Step 3: Create the file: ca-bundle.pem
-
From Windows File Explorer, navigate to the folder: C:\Program Files\OpenSSL-Win64\bin\
-
Run the file openssl.exe as administrator
-
From the
OpenSSL>command prompt, run the following command:pkcs7 -in {p7b file location}\ca-bundle.p7b -inform DER -print_certs -out {desired file location}\ca-bundle.pem-
Example:
pkcs7 -in C:\Users\localadmin\Desktop\ca-bundle.p7b -inform DER -print_certs -out C:\Users\localadmin\Desktop\ca-bundle.pem
You will be returned to the
OpenSSL>command prompt, and a file calledca-bundle.pemwill be created in the specified location -
Step 4: Create a CRT file
-
From the
OpenSSL>command prompt, run the following command:pkcs12 -in {pfx file location}\{pfx filename}.pfx -clcerts -nokeys -out {desired file location}\{FQDN_of_RPA_Server}.crt-
Example:
pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -clcerts -nokeys -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.crt
-
-
Enter the certificate password when prompted
You will be returned to the
OpenSSL>command prompt, and a file called{FQDN_of_RPA_Server}.crtwill be created in the specified location
Step 5: Create a PEM file
-
From the
OpenSSL>command prompt, run the following command:pkcs12 -in {pfx file location}\{pfx filename}.pfx -nocerts -out {desired file location}\{FQDN_of_RPA_Server}.pem -nodes-
Example:
pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -nocerts -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -nodes
-
-
Enter the certificate password when prompted
You will be returned to the
OpenSSL>command prompt, and a file called{FQDN_of_RPA_Server}.pemwill be created in the specified location
Step 6: Create a KEY file
-
From the
OpenSSL>command prompt, run the following command:rsa -in {pem file location}\{pem filename}.pem -out {desired file location}\{FQDN_of_RPA_Server}.keyNOTE: The PEM file referred to in this step is the file created in step #4 above (NOT
ca-bundle.pemcreated in step #2)-
Example:
rsa -in C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.key
You will be returned to the
OpenSSL>command prompt, and a file called{FQDN_of_RPA_Server}.keywill be created in the specified location -
Be sure to keep all the files utilized/created in this section in an easily accessible location until after Nintex RPA server installation. You should also save them to a safe location for backup purposes.
-Take me back to the relevant step in the Nintex RPA Installation Guide-