SSL/TLS Certificates - Additional Procedures
For reference, see SSL/SSL/TLS Requirements.
If required, this procedure must be completed prior to Nintex RPA server installation. Therefore, you should begin by downloading and installing OpenSSL (if not previously installed).
If you need to change an SSL certificate after installation, contact the support team.
TLS v1.3 is supported.
Install OpenSSL
-
Download the OpenSSL utility from this location:
https://slproweb.com/products/Win32OpenSSL.html
-
Version to download: Win64 OpenSSL v1.1.1c Light (select the EXE file option)
-
-
Install using the default options provided by the installation package
Manually creating individual certificate files
You can elect to manually prepare the additional certificate files required for Nintex RPA server installation (as opposed to letting the Nintex RPA server installation package do so). To manually prepare the certificate files, follow these steps:
Step 1: Install the *.pfx certificate to the Windows certificate store
-
Copy the certificate (in *.pfx format) to an easy-to-access location (e.g., Desktop) on the machine on which you will install the Nintex RPA server
-
Double-click the *.pfx certificate
The Windows Certificate Import Wizard will open
-
Select the Local Machine option
-
Confirm the file to import (the file you clicked on to open the wizard)
-
Enter the certificate password
-
Maintain the default Import options settings
-
Select the Automatically select the certificate store option
-
Review your settings and click the Finish button
You will receive a confirmation that the certificate was imported successfully
Step 2: Export the certificate in *.p7b format
-
From the lower left corner Windows icon, run MMC (Microsoft Management Console) as administrator
If MMC does not pop up as an option when typing it from the Windows icon, open it instead by typing Run, then entering MMC in the Run dialog.
-
From the File menu, select Add/Remove Snap-in...
-
From the Available snap-ins list, select Certificates, and click the Add > button
-
Select the Computer account option
-
Select the Local computer option, then click the Finish button
-
The Certificates snap-in will now appear in the left-hand column of the Add or Remove Snap-ins window under Console Root
-
Click the OK button to return to the main MMC screen
-
From the left pane (the folder tree), navigate to Console Root > Certificates (Local Computer) > Personal > Certificates
A list of certificates will appear in the middle pane.
-
Right-click on the relevant certificate, select All Tasks > Export...
-
The Windows Certificate Export Wizard will open
-
Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) file format
-
Save the file to an easily-accessible location on the server with the nameca-bundle.p7b
-
Review your settings and click the Finish button
The file will be exported to the selected location, and you will receive a confirmation that the certificate was exported successfully
Step 3: Create the file: ca-bundle.pem
-
From Windows File Explorer, navigate to the folder: C:\Program Files\OpenSSL-Win64\bin\
-
Run the file openssl.exe as administrator
-
From the
OpenSSL>
command prompt, run the following command:pkcs7 -in {p7b file location}\ca-bundle.p7b -inform DER -print_certs -out {desired file location}\ca-bundle.pem
-
Example:
pkcs7 -in C:\Users\localadmin\Desktop\ca-bundle.p7b -inform DER -print_certs -out C:\Users\localadmin\Desktop\ca-bundle.pem
You will be returned to the
OpenSSL>
command prompt, and a file calledca-bundle.pem
will be created in the specified location -
Step 4: Create a CRT file
-
From the
OpenSSL>
command prompt, run the following command:pkcs12 -in {pfx file location}\{pfx filename}.pfx -clcerts -nokeys -out {desired file location}\{FQDN_of_RPA_Server}.crt
-
Example:
pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -clcerts -nokeys -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.crt
-
-
Enter the certificate password when prompted
You will be returned to the
OpenSSL>
command prompt, and a file called{FQDN_of_RPA_Server}.crt
will be created in the specified location
Step 5: Create a PEM file
-
From the
OpenSSL>
command prompt, run the following command:pkcs12 -in {pfx file location}\{pfx filename}.pfx -nocerts -out {desired file location}\{FQDN_of_RPA_Server}.pem -nodes
-
Example:
pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -nocerts -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -nodes
-
-
Enter the certificate password when prompted
You will be returned to the
OpenSSL>
command prompt, and a file called{FQDN_of_RPA_Server}.pem
will be created in the specified location
Step 6: Create a KEY file
-
From the
OpenSSL>
command prompt, run the following command:rsa -in {pem file location}\{pem filename}.pem -out {desired file location}\{FQDN_of_RPA_Server}.key
NOTE: The PEM file referred to in this step is the file created in step #4 above (NOT
ca-bundle.pem
created in step #2)-
Example:
rsa -in C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.key
You will be returned to the
OpenSSL>
command prompt, and a file called{FQDN_of_RPA_Server}.key
will be created in the specified location -
Be sure to keep all the files utilized/created in this section in an easily accessible location until after Nintex RPA server installation. You should also save them to a safe location for backup purposes.
-Take me back to the relevant step in the Nintex RPA Installation Guide-